Tell us about your PDF experience.

OS deployment documentation
Use Configuration Manager to deploy Windows via different methods and automate
tasks.

About OS deployment

ｅ OVERVIEW

Introduction to OS deployment

Infrastructure requirements

ｐ CONCEPT

Prepare for OS deployment

OS deployment scenarios

OS deployment methods

Get started

ｃ HOW-TO GUIDE

Manage task sequences

Create an OS upgrade task sequence

Create a phased deployment

Deploy a task sequence

Debug a task sequence

Technical reference

ｉ REFERENCE

Use the task sequence editor

About task sequence steps

How to use task sequence variables

Task sequence variable reference

Introduction to operating system
deployment in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use Configuration Manager to deploy operating systems in a number of

different ways. Use the information in this section to understand how to deploy
operating systems and automate tasks.

The operating system deployment process

Configuration Manager provides several methods that you can use to deploy an
operating system. There are several actions that you must take regardless of the
deployment method that you use:

Identify Windows device drivers that are required to start the boot image or install
the operating system image that you have to deploy.

Identify the boot image that you want to use to start the destination computer.

Use a task sequence to capture an image of the operating system that you will
deploy. Alternatively, you can use a default operating system image.

Distribute the boot image, operating system image, and any related content to a
distribution point.

Create a task sequence with the steps to deploy the boot image and the operating
system image.

Deploy the task sequence to a collection of computers.

Monitor the deployment.

Operating system deployment scenarios

There are many operating system deployment scenarios in Configuration Manager that
you can choose from depending on your environment and the purpose for the
operating system installation. For example, you can partition and format an existing
computer with a new version of Windows or upgrade Windows to the latest version. To
help you determine the deployment method that meets your needs, review Scenarios to
deploy enterprise operating systems. You can choose from the following operating
system deployment scenarios:

Upgrade Windows to the latest version

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Replace an existing computer and transfer settings

Methods to deploy operating systems

There are several methods that you can use to deploy operating systems to
Configuration Manager client computers.

PXE initiated deployments: PXE-initiated deployments let client computers request

a deployment over the network. In this method of deployment, the operating
system image and a Windows PE boot image are sent to a distribution point that is
configured to accept PXE boot requests. For more information, see Use PXE to
deploy Windows over the network with Configuration Manager.

Make operating systems available in Software Center: You can deploy an

operating system and make it available in the Software Center. Configuration
Manager clients can initiate the operating system installation from Software
Center. For more information, see Replace an existing computer and transfer
settings.

Multicast deployments: Multicast deployments conserve network bandwidth by

concurrently sending data to multiple clients instead of sending a copy of the data
to each client over a separate connection. In this method of deployment, the
operating system image is sent to a distribution point. This in turn deploys the
image when client computers request the deployment. For more information, see
Use multicast to deploy Windows over the network.

Bootable media deployments: Bootable media deployments let you deploy the
operating system when the destination computer starts. When the destination
computer starts, it retrieves the task sequence, the operating system image, and
any other required content from the network. Because that content is not included
on the media, you can update the content without having to re-create the media.
For more information, see Create bootable media.

Stand-alone media deployments: Stand-alone media deployments let you deploy

operating systems in the following conditions:
 In environments where it is not practical to copy an operating system image or
other large packages over the network.

In environments without network connectivity or low bandwidth network

connectivity.

For more information, see Create stand-alone media.

Pre-staged media deployments: Pre-staged media deployments let you deploy an

operating system to a computer that is not fully provisioned. The pre-staged
media is a Windows Imaging Format (WIM) file that can be installed on a bare-
metal computer by the manufacturer or at an enterprise staging center that is not
connected to the Configuration Manager environment.

Later in the Configuration Manager environment, the computer starts by using the
boot image provided by the media, and then connects to the site management
point for available task sequences that complete the download process. This
method of deployment can reduce network traffic because the boot image and
operating system image are already on the destination computer. You can specify
applications, packages, and driver packages to include in the pre-staged media.
For more information, see Create prestaged media.

Boot images
A boot image in Configuration Manager is a Windows PE (WinPE) image that is used
during an operating system deployment. Boot images are used to start a computer in
WinPE, which is a minimal operating system with limited components and services that
prepare the destination computer for Windows installation. Configuration Manager
provides two boot images: One to support x86 platforms and one to support x64
platforms. These are considered default boot images. Boot images that you create and
add to Configuration Manager are considered custom images. Default boot images can
be automatically replaced when you update Configuration Manager. For more
information about boot images, see Manage boot images.

Operating system images

Operating system images in Configuration Manager are stored in the Windows Imaging
(WIM) file format and represent a compressed collection of reference files and folders
that are required to successfully install and configure an operating system on a
computer. For all operating system deployment scenarios, you must select an operating
system image. You can use the default operating system image or build the operating
system image from a reference computer that you configure. For more information, see
Manage operating system images.

Operating system upgrade packages

Operating system upgrade packages are used to upgrade an operating system and are
setup-initiated operating system deployments. You import operating system upgrade
packages to Configuration Manager from a DVD or mounted ISO file. For more
information, see Manage operating system upgrade packages.

Media to deploy operating systems

You can create several kinds of media that can be used to deploy operating systems.
This includes capture media that is used to capture operating system images and stand-
alone, pre-staged, and bootable media that is used to deploy an operating system. By
using media, you can deploy operating systems on computers that do not have a
network connection or that have a low bandwidth connection to your Configuration
Manager site. For more information about how to use media, see Create task sequence
media.

Device drivers
You can install device drivers on destination computers without including them in the
operating system image that is being deployed. Configuration Manager provides a
driver catalog that contains references to all the device drivers that you import into
Configuration Manager. The driver catalog is located in the Software Library workspace
and consists of two nodes: Drivers and Driver Packages. The Drivers node lists all the
drivers that you have imported into the driver catalog. You can use this node to discover
the details about each imported driver, to change what driver package or boot image a
driver belongs to, to enable or disable a driver, and more. For more information, see
Manage drivers.

Save and restore user state

When you deploy operating systems, you can save the user state from the destination
computer, deploy the operating system, and then restore the user state after the
operating systems is deployed. This process is typically used when you install the
operating system on a Configuration Manager client computer.
The user state information is captured and restored by using task sequences. When the
user state information is captured, the information can be stored in one of the following
ways:

You can store the user state data remotely by configuring a state migration point.
The Capture task sequence sends the data to the state migration point. Then, after
the operating system is deployed, the Restore task sequence retrieves the data and
restores the user state on the destination computer.

You can store the user state data locally to a specific location. In this scenario, the
Capture task sequence copies the user data to a specific location on the
destination computer. Then, after the operating system is deployed, the Restore
task sequence retrieves the user data from that location.

You can specify hard links that can be used to restore the user data to its original
location. In this scenario, the user state data remains on the drive when the old
operating system is removed. Then, after the operating system is deployed, the
Restore task sequence uses the hard links to restore the user state data to its
original location.

For more information Manage user state.

Deploy to unknown computers

You can deploy an operating system to computers that are not managed by
Configuration Manager. There is no record of these computers in the Configuration
Manager database. These computers are referred to as unknown computers. Unknown
computers include the following:

A computer where the Configuration Manager client is not installed

A computer that is not imported into Configuration Manager

A computer that is not discovered by Configuration Manager

For more information, see Prepare for unknown computer deployments.

Associate users with a computer

When you deploy an operating system, you can associate users with the destination
computer to support user device affinity actions. When you associate a user with the
destination computer, the administrative user can later perform actions on whichever
computer is associated with that user, such as deploying an application to the computer
of a specific user. However, when you deploy an operating system, you cannot deploy
the operating system to the computer of a specific user. For more information, see
Associate users with a destination computer.

Use task sequences to automate steps

You can create task sequences to perform a variety of tasks within your Configuration
Manager environment. The actions of the task sequence are defined in the individual
steps of the sequence. When the task sequence is run, the actions of each step are
performed at the command-line level without requiring user intervention. You can use
task sequences for the following:

Create a task sequence to install an operating system

Create a task sequence for non-operating system deployments

Create a task sequence to capture an operating system

Create a task sequence to capture and restore user state

Create a custom task sequence

Infrastructure requirements for OS
deployment in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

OS deployment in Configuration Manager has external dependencies as well as

dependencies within the product. Use this article to help you prepare the infrastructure
for OS deployment.

Dependencies external to Configuration

Manager
This section provides information about external tools, installation kits, and OS versions
that are required to deploy operating systems in Configuration Manager.

Windows ADK
The Windows Assessment and Deployment Kit (ADK) is a set of tools and
documentation that support the configuration and deployment of Windows.
Configuration Manager uses the Windows ADK to automate actions such as installing
Windows, capturing images, and migrating user profiles and data.

For more information, see the following articles:

Support for the Windows ADK in Configuration Manager

Download the Windows ADK

） Important

Make sure to download both the Windows ADK and the Windows PE add-on
for the ADK.

Windows ADK scenarios for IT Pros

Site systems
The Windows ADK is a prerequisite for the following site systems servers:
 The site server of the top-level site in the hierarchy

The site server of each primary site in the hierarchy

Every instance of the SMS Provider

７ Note

Manually install the Windows ADK on each site server before you install the
Configuration Manager site.

Windows ADK features

Install the following features of the Windows ADK:

User State Migration Tool (USMT)

７ Note

USMT isn't required on the SMS Provider.

Windows Deployment Tools

Windows Preinstallation Environment (Windows PE)

） Important

Windows PE is a separate installer. Otherwise there's no functional difference

from earlier versions of the Windows ADK.

For a list of the versions of the Windows ADK that you can use with different versions of
Configuration Manager, see Support for the Windows ADK.

User State Migration Tool (USMT)

Configuration Manager uses a USMT package that includes the USMT source files to
capture and restore the user state as part of your OS deployment. Configuration
Manager setup at the top-level site automatically creates the USMT package. USMT
captures user state from supported versions of Windows.

For more information, see the following articles:

 Manage user state with Configuration Manager

Common migration scenarios for USMT

Windows PE
Windows PE is used for boot images to start a computer. It's a Windows version with
limited services that's used during the pre-installation and deployment of Windows. For
more information about boot images, see Manage boot images.

Windows Server Update Services (WSUS)

WSUS is required for the software update point, which is required to install software
updates during OS deployment. For more information, see Install a configure a software
update point.

Internet Information Services (IIS) on the site system

servers
IIS is required for the distribution point, state migration point, and management point.
For more information, see Site and site system prerequisites.

Windows Deployment Services (WDS)

You can use WDS for PXE deployments, or you can enable PXE on a distribution point
without WDS. For more information, see PXE provider options.

Dynamic Host Configuration Protocol (DHCP)

DHCP is required for PXE deployments. You must have a functioning DHCP server with
an active host to deploy operating systems by using PXE. For more information about
PXE deployments, see Use PXE to deploy Windows over the network.

Windows device drivers

Windows device drivers can be used when you install the OS on the destination
computer. They're also used when you run Windows PE in a boot image. For more
information, see Manage drivers.
Configuration Manager dependencies
This section provides information about Configuration Manager OS deployment
prerequisites.

OS image
OS images in Configuration Manager are stored in the Windows Imaging (WIM) file
format. They represent a compressed collection of reference files and folders. These
images are required to successfully install and configure an OS on a computer. For more
information, see Manage OS images.

Driver catalog
To deploy a device driver, import the device driver, enable it, and make it available on a
distribution point that the Configuration Manager client can access. For more
information about the driver catalog, see Manage drivers.

Management point
Management points transfer information between clients and the Configuration
Manager site. The client uses a management point to run the task sequence to complete
the OS deployment. For more information about task sequences, see Planning
considerations for automating tasks.

Distribution point
Distribution points are used in most deployments to store the data that's used to deploy
an OS, such as the image or driver packages. Task sequences typically retrieve data from
a distribution point to deploy the OS. For more information about how to install
distribution points and manage content, see Manage content and content infrastructure.

PXE-enabled distribution point

To deploy PXE-initiated deployments, configure a distribution point to accept PXE
requests from clients. For more information, see Configure a distribution point.

Multicast-enabled distribution point

To optimize your OS deployments by using multicast, configure a distribution point to
support multicast. For more information, see Configure a distribution point.

State migration point

When you capture and restore user state data for side-by-side and refresh deployments,
configure a state migration point to store the user state data on another computer.

For more about how to configure the state migration point, see State migration point.

For more information about how to capture and restore user state, see Manage user
state.

Reporting services point

To use Configuration Manager reports for OS deployments, install and configure a
reporting point. For more information, see Introduction to reporting.

Security permissions for OS deployments

The Operating System Deployment Manager security role is a built-in role that you
can't change. However, you can copy the role, make changes, and then save these
changes as a new custom security role. Here are some of the permissions that apply
directly to OS deployments:

Boot Image Package: Create, Delete, Modify, Modify Folder, Move Object, Read,
Set Security Scope

Device Drivers: Create, Delete, Modify, Modify Folder, Modify Report, Move
Object, Read, Run Report

Driver Package: Create, Delete, Modify, Modify Folder, Move Object, Read, Set
Security Scope

Operating System Image: Create, Delete, Modify, Modify Folder, Move Object,
Read, Set Security Scope

Operating System Upgrade Package: Create, Delete, Modify, Modify Folder, Move
Object, Read, Set Security Scope

Task Sequence Package: Create, Create Task Sequence Media, Delete, Modify,
Modify Folder, Modify Report, Move Object, Read, Run Report, Set Security Scope

For more information, see Create custom security roles.

Security scopes for OS deployments
Use security scopes to provide administrative users with access to the securable objects
used in OS deployments, such as OS and boot images, driver packages, and task
sequence packages. For more information, see Security scopes.

PXE provider options

You can use Windows Deployment Services (WDS) on the same server as the distribution
points that you configure to support PXE or multicast. WDS is included in the server OS.
With this configuration, WDS is the service that performs the PXE boot. When the
distribution point is installed and enabled for PXE, Configuration Manager installs a
provider into WDS that uses the WDS PXE boot functions.

You can also enable PXE on a distribution point without WDS. For more information, see
the Enable a PXE responder without Windows Deployment Service option in Install
and configure distribution points.

WDS requirements
The WDS installation on the server requires that the administrator is a member of
the local Administrators group.

The WDS server must be either a member of an Active Directory domain or a

domain controller for an Active Directory domain. All Windows domain and forest
configurations support WDS.

If the provider is installed on a remote server, install WDS on the site server and
the remote provider.

７ Note

If the server requires a restart, the installation of WDS might fail.

Considerations when you have WDS and DHCP on the

same server
If you plan to co-host the distribution point on a server running DHCP, consider the
following configuration issues:
 You need a functioning DHCP server with an active scope. WDS uses PXE, which
requires a DHCP server.

A DNS server is required to run WDS.

The following UDP ports must be open on the WDS server:

Port 67 (DHCP)

Port 69 (TFTP)

Port 4011 (PXE)

７ Note

If DHCP authorization is required on the server, you need DHCP client port
68 to be open on the server.

DHCP and WDS both require port number 67. If you co-host WDS and DHCP, you
can move DHCP or the distribution point that's configured for PXE to a separate
server. Or, you can use the following procedure to configure the WDS server to
listen on a different port.

How to configure the WDS server to listen on a different port

1. Modify the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSP

XE

2. Set the registry value UseDHCPPorts to 0 .

3. For the new configuration to take effect, run the following command on the server:

WDSUTIL /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes

７ Note

When you enable a PXE responder on a distribution point without WDS, it can be
on the same server as the DHCP service. For more information, see Configure at
least one distribution point to accept PXE requests.
Supported operating systems
All Windows operating systems listed as supported clients in Supported operating
systems for clients and devices are supported for OS deployment.

Supported disk configurations

Configuration Manager supports capturing an OS image only from computers that are
configured with simple volumes. The following table lists the hard disk configurations
that Configuration Manager OS deployment supports on reference and destination
computers:

Reference computer hard disk Destination computer hard disk

configuration configuration

Basic disk Basic disk

Simple volume on a dynamic disk Simple volume on a dynamic disk

Configuration Manager doesn't support the following hard disk configurations:

Spanned volumes

Striped volumes (RAID 0)

Mirrored volumes (RAID 1)

Parity volumes (RAID 5)

If the reference disk has a basic disk, you can't capture and apply the image to a
destination computer with a dynamic disk.

Next steps
Prepare site system roles for OS deployments
Prepare for OS deployment
Plan for automating tasks in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can create task sequences to automate tasks in your Configuration Manager
environment. These tasks range from capturing an OS on a reference computer to
deploying the OS to one or more destination computers. The actions of the task
sequence are defined in the individual steps of the sequence. When the task sequence
runs, it runs the actions of each step at the command-line level in the Local System
context. This behavior means the task sequence runs fully automated with no user
intervention.

Task sequence steps and actions

Steps are the basic components of a task sequence. They can include commands such
as:

Configure and capture the OS of a reference computer

Install Windows, hardware drivers, the Configuration Manager client, and software
on the destination computer

The actions of the step define the commands of a task sequence step. There are two
types of actions:

An action that you define by using a command-line string is referred to as a

custom action
An action that's predefined by Configuration Manager is referred to as a built-in
action.

A task sequence can do any combination of custom and built-in actions.

Task sequence steps can also include conditions that control how the step behaves.
These behaviors include stopping the task sequence, or continuing the task sequence if
an error occurs. One type of condition is a task sequence variable. For example, use the
SMSTSLastActionRetCode variable to test the condition of the previous step. Add
conditions to a single step or a group of steps.

The task sequence processes steps sequentially. This sequence includes the action of the
step and any conditions on the step. When Configuration Manager starts to process a
task sequence step, it doesn't start the next step until the previous action is complete.

A task sequence is considered complete when:

All its steps are complete.

A failed step causes Configuration Manager to stop running the task sequence
before all its steps are completed.

For example, if the step of a task sequence can't locate a referenced image or package
on a distribution point, the task sequence includes a broken reference. Configuration
Manager stops running the task sequence at that point, unless the failed step has a
condition to continue when an error occurs.

） Important

By default, a task sequence fails after one step or action fails. If you want the task
sequence to continue even when a step fails, edit the task sequence, switch to the
Options tab, and then select Continue on error.

For more information about the steps that can be added to a task sequence, see Task
sequence steps.

Task sequence groups

You can group multiple steps within a task sequence. A task sequence group consists of
a name, an optional description, and any optional conditions. The task sequence
evaluates the group conditions as a unit before it continues with the next step. Nest
groups within each other, or include a mixture of steps and subgroups. Groups are
useful for combining multiple steps that share a common condition.

Assign a name to task sequence groups. It doesn't have to be unique. You can also
provide an optional description for the task sequence group.

） Important

By default, a task sequence group fails when any step or embedded group within
the group fails. If you want the task sequence to continue when a step or
embedded group fails, set the Continue on error option on the step or group.

The following table shows how the Continue on error option works when you group
steps.
In this example, there are two groups of task sequences that include three task
sequence steps each.

Task sequence group or step Continue on error setting

Task sequence group 1 Continue on error selected.

Task sequence step 1 Continue on error selected.

Task sequence step 2 Not set.

Task sequence step 3 Not set.

Task sequence group 2 Not set.

Task sequence step 4 Not set.

Task sequence step 5 Not set.

Task sequence step 6 Not set.

If task sequence step 1 fails, the task sequence continues with task sequence step
2.

If task sequence step 2 fails, the task sequence doesn't run task sequence step 3.
Because task sequence group 1 is configured to Continue on error, the task
sequence continues to task sequence group 2. It runs task sequence step 4 next.

If task sequence step 4 fails, no more steps are run. The task sequence fails
because the Continue on error setting isn't configured for task sequence group 2.

Add child task sequences to a task sequence

Add a new task sequence step that runs another task sequence. This step creates a
parent-child relationship between the task sequences. Using this step allows you to
create more modular task sequences that you can reuse.

For more information, see Run Task Sequence.

７ Note

Configuration Manager doesn't enable this optional feature by default. You must
enable this feature before using it. For more information, see Enable optional
features from updates.
Task sequence variables
Task sequence variables are a set of name and value pairs. They supply configuration
and OS deployment settings for computer, OS, and user state configuration tasks on a
Configuration Manager client. Task sequence variables provide a mechanism to
configure and customize the steps in a task sequence.

When you run a task sequence, it stores many of the task sequence settings as
environment variables. You can access or change the values of built-in task sequence
variables. You can also create new task sequence variables to customize the way a task
sequence runs on a destination computer.

Use task sequence variables to do the following actions:

Configure settings for a task sequence action

Supply command-line arguments for a task sequence step

Evaluate a condition that determines whether a task sequence step or group runs

Provide values for custom scripts used in a task sequence

For example, you have a task sequence that includes a Join Domain or Workgroup task
sequence step. Deploy the task sequence to different collections, where the membership
of the collection is determined by domain membership. Specify a per-collection task
sequence variable for each collection's domain name. Then use that task sequence
variable to supply the appropriate domain name in the task sequence.

For more information, see How to use task sequence variables.

Create a task sequence

Create task sequences by using the Create Task Sequence Wizard. The wizard can create
built-in task sequences that do specific tasks or custom task sequences that can do
many different tasks. The wizard lets you create the following types of task sequences:

Install an existing OS image on a destination computer

Build and capture an OS image of a reference computer

Upgrade Windows with an OS upgrade package on a destination computer

Create a custom task sequence that does a customized task or specialized OS

deployment
For more information, see Create a task sequence to install an OS.

Edit a task sequence

Edit the task sequence by using the Task Sequence Editor. The editor can make the
following changes to the task sequence:

Add or remove steps from the task sequence

Change the order of the steps of the task sequence

Add or remove groups of steps

Specify whether the task sequence continues when an error occurs

Add conditions to the steps and groups of a task sequence

） Important

If the task sequence has any unassociated references to an object as a result of the
edit, the editor requires you fix the reference before it can close. Possible actions
include:

Correct the reference

Delete the unreferenced object from the task sequence
Temporarily disable the failed task sequence step until the broken reference is
corrected or removed

For more information about how to edit task sequences, see Use the task sequence
editor.

Deploy a task sequence

Deploy a task sequence to destination computers that are in any Configuration Manager
collection. Use the built-in All Unknown Computers collection to deploy operating
systems to unknown computers. You can't deploy a task sequence to user collections.

） Important

Don't deploy task sequences that install operating systems to inappropriate

collections. Be sure that the collection to which you deploy the task sequence
 includes only those computers where you want to install the OS. To help prevent
unwanted OS deployments, configure settings for high-risk deployments. For more
information, see Settings to manage high-risk deployments.

Each destination computer that receives the task sequence runs the task sequence
according to the settings specified in the deployment. The task sequences itself doesn't
contain associated files or programs. Any files that a task sequence references must
already be present on the destination computer or stored on a distribution point that
clients can access.

７ Note

The task sequence installs packages that are referenced by programs, even if the
program or package is already installed on the destination computer.

If the task sequence installs an application, the application installs only if the
requirement rules for the application are met, and the application isn't already
installed, based on the detection method that's specified for the application.

The Configuration Manager client runs a task sequence deployment when it downloads
client policy. To trigger this action rather than wait until the next polling cycle, see
Initiate policy retrieval for a Configuration Manager client.

When you deploy task sequences to Windows Embedded devices that are enabled with
a write filter, you can specify whether to disable the write filter on the device during the
deployment and then restart the device after the deployment. If the write filter isn't
disabled, the task sequence is deployed to a temporary overlay and it won't be available
when the device restarts.

７ Note

When you deploy a task sequence to a Windows Embedded device, ensure that the
device is a member of a collection that has a configured maintenance window. This
allows you to manage when the write filter is disabled and enabled, and when the
device restarts.

If clients download task sequences outside of a maintenance window, the task

sequence is downloaded twice. In this scenario, the client downloads the task
sequence, disables the write filter, restarts the computer, and then downloads the
task sequence again. This behavior is because the task sequence was originally
downloaded to the temporary overlay, which is cleared when the device restarts.
For more information about how to deploy task sequences, see the Deploy a task
sequence.

Export and import

Configuration Manager lets you export and import task sequences. When you export a
task sequence, you can include the objects that are referenced by the task sequence.

For more information, see Export and import task sequences.

Run a task sequence

Task sequences always run by using the Local System account. When the task sequence
runs, the Configuration Manager client first checks for any referenced packages before it
starts the steps of the task sequence. If it can't validate or download a referenced
package, the task sequence returns an error for the associated task sequence step.

７ Note

The task sequence step Run Command Line provides the ability to run a command
as a different account.

If you configure a task sequence deployment to download and run, the Configuration
Manager client downloads all dependent content to its cache. If the client cache size is
too small or the content can't be found, the task sequence fails. The client generates a
status message.

You can also specify that the client downloads the content only when it's required. To do
this action, select Download content locally when needed by running task sequence in
the task sequence deployment. Another option is to Run program from distribution
point. With this option, the client installs the files directly from the distribution point
without downloading them into the cache first.

When you configure the task sequence deployment as Available, if the client can't
locate dependent content for the task sequence, it immediately sends an error. For a
Required deployment, the Configuration Manager client waits in this situation. It retries
to download the content until the deadline, in case the content isn't yet replicated to a
content location that the client can access.

When a task sequence completes successfully or fails, Configuration Manager records

this state in the client history.
Once a task sequence starts on a computer, you can't cancel or stop it.

） Important

If a task sequence step requires the computer to restart, the client must be able to
boot to a formatted disk partition. Otherwise, the task sequence fails regardless of
any error handling that you specify in the task sequence.

When a dependent object of a task sequence is updated to a newer version, any task
sequence that references the package is automatically updated. It references the newest
version, no matter how many updates you've deployed.

Use maintenance windows

You can specify when the task sequence can run by defining a maintenance window for
the device collection. You configure maintenance windows with a start date, a start and
finish time, and a recurrence pattern. When you set the schedule for the maintenance
window, you can specify that the maintenance window applies only to task sequences.
For more information, see How to use maintenance windows.

） Important

When you configure a maintenance window to run a task sequence, once the task
sequences starts it continues to run even if the maintenance window closes.

If a device has more than one maintenance window applied, the client may ignore an All
deployments maintenance window. Starting in version 1810, use the following client
setting to control this behavior: Enable installation of software updates in "All
deployments" maintenance window when "Software Update" maintenance window is
available. For more information, see About client settings

Task sequences and the network access account

） Important

Some OS deployment scenarios don't require use of the network access account.
For more information, see Enhanced HTTP.
Although task sequences run only in the context of the Local System account, you might
need to configure the network access account in the following circumstances:

If the task sequence tries to access Configuration Manager content on distribution

points. Correctly configure the network access account, or the task sequence will
fail.

When you use a boot image to initiate an OS deployment. In this case,

Configuration Manager uses the Windows PE environment, which isn't a full OS.
The Windows PE environment uses an automatically generated, random name that
isn't a member of any domain. If you don't correctly configure the network access
account, the computer can't access the required content for the task sequence.

７ Note

The network access account is never used as the security context for running
programs, installing applications, installing updates, or running task sequences. The
network access account is only used to access the associated resources on the
network.

For more information about the network access account, see Network access account.

Enhanced HTTP
When you enable Enhanced HTTP, the following scenarios don't require a network
access account to download content from a distribution point:

Task sequences running from boot media or PXE

Task sequences running from Software Center

These task sequences can be for OS deployment or custom. It's also supported for
workgroup computers.

For more information, see Enhanced HTTP.

７ Note

The following OS deployment scenarios still require the use of a network access
account:

The task sequence deployment option, Access content directly from a

distribution point when needed by the running task sequence
 The Request State Store step option, If computer account fails to connect to
a state store, use the network access account
When connecting with an untrusted domain or across Active Directory forests
The Apply OS Image step option, Access content directly from the
distribution point
The task sequence advanced setting to Run another program first
Multicast

Create media
You can write task sequences and their related files and dependencies to several types
of media. Configuration Manager supports removable media such as a DVD or a USB
flash drive for capture, stand-alone, and bootable media. Prestaged media uses a
Windows image (WIM) file.

When you create media, specify a password to control access. Then a person must enter
the password at the target computer to run the task sequence.

When you run a task sequence from media, the specified processor architecture of the
media isn't recognized. If the specified architecture doesn't match the target computer,
the task sequence still attempts to run. If the architecture of the media doesn't match
the architecture of the target computer, the task sequence fails.

For more information, see Create task sequence media.

Media types
Configuration Manager supports the following types of media:

Capture media

This media captures an OS image that you configure and create outside of the
Configuration Manager infrastructure. Capture media can contain custom programs that
can run before a task sequence runs. The custom program can interact with the desktop,
prompt the user for input values, or create variables to be used by the task sequence.

For more information, see Create capture media.

Stand-alone media
Stand-alone media contains the task sequence and all associated objects that are
necessary for the task sequence to run. Stand-alone media task sequences can run when
Configuration Manager has limited or no connectivity to the network. Run stand-alone
media in the following ways:

If the destination computer isn't booted, the Windows PE image associated with
the task sequence is used from the stand-alone media, and the task sequence
begins.

Manually start the stand-alone media. If a user is signed in to the computer, they
can initiate the task sequence from the media.

） Important

The steps of a stand-alone media task sequence must be able to run without
retrieving any data from the network. Otherwise, the task sequence step that tries
to retrieve the data fails. For example, a task sequence step that requires a
distribution point to obtain a package fails. If the stand-alone media contains the
necessary package, the task sequence step succeeds.

For more information, see Create stand-alone media.

Bootable media
Bootable media contains the required files to start a destination computer so that it can
connect to the Configuration Manager infrastructure. It then determines which task
sequences to run based on its collection memberships. This media doesn't include the
task sequence or dependent objects. Instead, the client downloads the content over the
network. This method is useful for new computers or bare-metal deployments, when no
OS is on the destination computer.

For more information, see Create bootable media.

Prestaged media

Prestaged media deploys an OS image to a destination computer that isn't provisioned.

The prestaged media is stored as a Windows image (WIM) file. This file can be installed
on a bare-metal computer by the manufacturer or at an enterprise staging center. A
benefit of prestaged media is that these locations don't require a connection to your
Configuration Manager environment.

For more information, see Create prestaged media.

Next steps
Security and privacy for OS deployment

Prepare site system roles for OS deployments

Scenarios to deploy enterprise
operating systems with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following OS deployment scenarios are available in Configuration Manager:

Upgrade Windows to the latest version

This scenario upgrades the OS on computers that run an earlier version of Windows. The
upgrade process keeps the applications, settings, and user data on the computer. There
are no external dependencies, such as the Windows ADK. This process can be faster and
more resilient than traditional OS deployments.

This scenario applies to all supported versions of Windows client and Windows Server.

For more information, see Upgrade Windows to the latest version.

Windows Autopilot for existing devices

Windows Autopilot for existing devices is available with Windows 10, version 1809 or
later. This feature allows you to reimage and provision a device with an earlier version of
Windows for Windows Autopilot user-driven mode using a single Configuration
Manager task sequence.

This scenario applies to Windows 10 version 1809 and later

For more information, see Windows Autopilot for existing devices.

Refresh an existing computer with a new

version
This scenario partitions and formats an existing computer and installs a new OS on the
computer. It's also referred to as wipe and load. You can migrate settings and user data
after the OS is installed.

This scenario applies to all supported versions of Windows client and Windows Server.
For more information, see Refresh an existing computer with a new version of Windows.

Install a new version of Windows on a new

computer
This scenario installs an OS on a new computer. It's also referred to as bare metal. It's a
fresh installation of the OS and doesn't include any settings or user data migration.

This scenario applies to all supported versions of Windows client and Windows Server.

For more information, see Install a new version of Windows on a new computer (bare
metal).

Replace an existing computer and transfer

settings
This scenario installs an OS on a new computer, and migrates settings and user data
from an old computer to the new computer.

This scenario applies to all supported versions of Windows client and Windows Server.

For more information, see Replace an existing computer and transfer settings.
Upgrade Windows to the latest version
with Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article provides the steps in Configuration Manager to upgrade the Windows OS on
a computer. You can choose from different deployment methods, such as stand-alone
media or Software Center. The in-place upgrade scenario has the following features:

Upgrades the OS to Windows 10 or later, or Windows Server 2016 and later

Keeps the applications, settings, and user data on the computer

Has no external dependencies, such as the Windows ADK

Is faster and more resilient than traditional OS deployments

７ Note

The Windows in-place upgrade task sequence supports deployment to internet-

based clients managed through the cloud management gateway. This ability
allows remote users to more easily upgrade to Windows without needing to
connect to the intranet. For more information, see Deploy Windows in-place
upgrade via CMG.

Starting in version 2103, you can upgrade by using a feature update deployed with the
task sequence. This integration combines the simplicity of Windows servicing with the
flexibility of task sequences. Servicing uses content that you synchronize through the
software update point. This process simplifies the need to manually get, import, and
maintain the Windows image content used with a standard task sequence to upgrade
Windows. The size of the servicing ESD file is generally smaller than the OS upgrade
package and WIM image file. You can also use Windows features such as Dynamic
Update and Delivery Optimization. The user experience with a feature update in a task
sequence is the same as with an OS upgrade package.

Supported versions

Upgrade version
Only create OS upgrade packages to upgrade to the following OS versions:

Windows 11
Windows 10
Windows Server 2016
Windows Server 2019
Windows Server 2022

Original version
Devices must run one of the following OS versions to target an OS upgrade task
sequence:

Windows client
Windows 7
Windows 8.1
An earlier version of Windows 10 or Windows 11. For example, you can upgrade
Windows 10, version 2004 to Windows 10, version 21H1.

For more information, see Windows client upgrade paths.

７ Note

OS deployment isn't supported for Windows on ARM64 devices, except for a

feature update task sequence. Starting in version 2103, you can deploy a task
sequence with a feature update to an ARM64 device.

Windows Server

Windows Server 2012

Windows Server 2012 R2
An earlier version of Windows Server 2016
An earlier version of Windows Server 2019
An earlier version of Windows Server 2022

For more information about Windows Server supported upgrade paths, see Windows
Server 2016 supported upgrade paths and Windows Server Upgrade Center.

Plan
Task sequence requirements and limitations
Review the following requirements and limitations for the task sequence to upgrade an
OS to make sure it meets your needs:

Only add task sequence steps that are related to the core task of upgrading the
OS. These steps primarily include installing packages, applications, or updates. Also
use steps that run command lines, PowerShell, or set dynamic variables.

Review drivers and applications that are installed on computers. Before you deploy
the upgrade task sequence, make sure the drivers are compatible with the target
version of Windows.

The following tasks aren't compatible with the in-place upgrade. They require you to use
traditional OS deployments:

Changing the computer's domain membership, or updating the local

Administrators group.

Implementing a fundamental change on the computer, such as:

Changing disk partitions
Changing the system architecture from x86 to x64
Implementing UEFI. For more information on a possible option, see Convert
from BIOS to UEFI during an in-place upgrade.
Modifying the base OS language

You have custom requirements including using a custom base image, using third-
party disk encryption, or require WinPE offline operations.

Infrastructure requirements
The only infrastructure prerequisite for the upgrade scenario is to have a distribution
point available. Distribute the OS upgrade package or feature update, and any other
content that you include in the task sequence. For more information, see Install or
modify a distribution point.

Starting in version 2103, if you use a feature update with a Windows upgrade task
sequence, you need a software update point to synchronize the Upgrades classification.
For more information, see Install and configure a software update point.

Configure
Prepare the OS upgrade package
The Windows upgrade package contains the source files necessary to upgrade the OS
on the destination computer. The upgrade package must be the same edition,
architecture, and language as the clients that you upgrade. For more information, see
Manage OS upgrade packages.

７ Note

In version 2103 or later, if you use a feature update with a Windows upgrade task
sequence, you don't need the OS upgrade package.

Create a task sequence to upgrade the OS

Use the steps in Create a task sequence to upgrade an OS to automate the upgrade of
the OS.

７ Note

To create a task sequence to upgrade Windows, you typically use the steps in
Create a task sequence to upgrade an OS. The task sequence includes the
Upgrade OS step, as well as additional recommended steps and groups to handle
the end-to-end upgrade process.

You can create a custom task sequence and add the Upgrade OS step. This step is
the only one required to upgrade Windows. If you choose this method, to complete
the upgrade, also add the Restart Computer step after the Upgrade OS step. Make
sure to use the setting for The currently installed default operating system to
restart the computer into the installed OS and not Windows PE.

Next steps
First create a task sequence to upgrade an OS.

Then deploy the task sequence with one of the following deployment methods:

Use Software Center to deploy Windows over the network

Use stand-alone media to deploy Windows without using the network

 ） Important

When you use stand-alone media, you must include a boot image in the task
sequence. This configuration makes the task sequence available in the Task
Sequence Media Wizard.

To monitor the task sequence deployment to upgrade the OS, see Monitor OS
deployments.
Windows Autopilot deployment for
existing devices
Article • 08/10/2023

Applies to:

Windows 11
Windows 10

Modern desktop deployment with Windows Autopilot helps you easily deploy the latest
version of Windows to your existing devices. The apps you need for work can be
automatically installed. If you manage Windows user data with OneDrive for Business,
your data is synchronized, so users can resume working right away.

Windows Autopilot for existing devices lets you reimage and provision a Windows
device for Autopilot user-driven mode using a single, native Configuration Manager task
sequence. The existing device can be on-premises domain-joined. The end result is a
Windows 10 or Windows 11 device joined to either Azure Active Directory (Azure AD) or
Active Directory (hybrid Azure AD join).

７ Note

The JSON file for Windows Autopilot for existing devices only supports user-driven
Azure AD and user-driven hybrid Azure AD Autopilot profiles. Self-deploying and
pre-provisioning Autopilot profiles aren't supported with JSON files due to these
scenarios requiring TPM attestation.

However, during the Windows Autopilot for existing devices deployment, if the
following conditions are true:

Device is already a Windows Autopilot device before the deployment begins

Device has an Autopilot profile assigned to it

then the assigned Autopilot profile takes precedence over the JSON file installed by
the task sequence. In this scenario, if the assigned Autopilot profile is either a self-
deploying or pre-provisioning Autopilot profile, then the self-deploying and pre-
provisioning scenarios are supported.

 Tip
 Using Autopilot for existing devices could be used as a method to convert existing
hybrid Azure AD devices into Azure AD devices. Using the setting Converting all
targeted devices to Autopilot in the Autopilot profile doesn't automatically convert
existing hybrid Azure AD device in the assigned group(s) into an Azure AD device.
The setting only registers the devices in the assigned group(s) for the Autopilot
service.

Prerequisites
A currently supported version of Microsoft Configuration Manager current branch.
Assigned Microsoft Intune licenses.
Azure AD Premium.
A supported version of Windows 10 or Windows 11 imported into Configuration
Manager as an OS image.

７ Note

Typically, the target device isn't registered with the Windows Autopilot service. If
the device is already registered, the assigned profile takes precedence. The
Autopilot for existing devices profile only applies if that the online profile times out.

Configure the Enrollment Status Page

(optional)
If you want, you can set up an enrollment status page (ESP) for Autopilot using Intune.

1. Open the Microsoft Intune admin center .

2. Go to Devices > Enroll Devices > Windows enrollment > Enrollment Status Page
and Set up the Enrollment Status Page.
 3. Go to Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune
and enable Windows automatic enrollment. Configure the MDM user scope for
some or all users.

Install required modules

 Tip

To run the following commands on a computer running Windows Server 2012/2012

R2, first download and install the Windows Management Framework .

７ Note
The PowerShell code snippets in this section were updated in July of 2023 to use
the Microsoft Graph PowerShell modules instead of the deprecated AzureAD Graph
PowerShell modules. The Microsoft Graph PowerShell modules may require
approval of additional permissions in Azure AD when they're first used. It was also
updated to force using an updated version of the WindowsAutoPilot module. For
more information, see AzureAD and Important: Azure AD Graph Retirement and
PowerShell Module Deprecation .

1. On an internet-connected Windows PC or server, open an elevated Windows

PowerShell command window.

2. Enter the following commands to install and import the necessary modules:

PowerShell

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Install-Module WindowsAutopilotIntune -MinimumVersion 5.4.0 -Force
Install-Module Microsoft.Graph.Groups -Force
Install-Module Microsoft.Graph.Authentication -Force
Install-Module Microsoft.Graph.Identity.DirectoryManagement -Force

Import-Module WindowsAutopilotIntune -MinimumVersion 5.4

Import-Module Microsoft.Graph.Groups
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Identity.DirectoryManagement

3. Enter the following commands and provide Intune administrative credentials:

Make sure the user account you specify has sufficient administrative rights.

PowerShell

Connect-MgGraph -Scopes "Device.ReadWrite.All",

"DeviceManagementManagedDevices.ReadWrite.All",
"DeviceManagementServiceConfig.ReadWrite.All", "Domain.ReadWrite.All",
"Group.ReadWrite.All", "GroupMember.ReadWrite.All", "User.Read"

Windows requests the user and password for your account with a standard Azure
AD form. Type your username and password, and then select Sign in.
 The first time Intune Graph APIs are used on a device, it prompts to enable
Microsoft Intune PowerShell read and write permissions. To enable these
permissions, select Consent on behalf or your organization and then Accept.

Get Autopilot profiles for existing devices

Get all the Autopilot profiles available in your Intune tenant, and display them in JSON
format:

PowerShell

Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

See the following sample output:

PowerShell

PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

{
"CloudAssignedTenantId": "1537de22-988c-4e93-b8a5-83890f34a69b",
"CloudAssignedForcedEnrollment": 1,
"Version": 2049,
"Comment_File": "Profile Autopilot Profile",
"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":
{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenan
tDomain\":\"M365x373186.onmicrosoft.com\"}}",
"CloudAssignedTenantDomain": "M365x373186.onmicrosoft.com",
"CloudAssignedDomainJoinMethod": 0,
"CloudAssignedOobeConfig": 28,
 "ZtdCorrelationId": "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
}

Each profile is encapsulated within braces ( { } ). The previous example displays a single
profile.

JSON file properties

Version

(Number, optional)

The version number that identifies the format of the JSON file.

CloudAssignedTenantId
(GUID, required)

The Azure AD tenant ID that should be used. This property is the GUID for the tenant,
and can be found in properties of the tenant. The value shouldn't include braces.

CloudAssignedTenantDomain
(String, required)

The Azure AD tenant name that should be used. For example: tenant.onmicrosoft.com .

CloudAssignedOobeConfig
(Number, required)

This property is a bitmap that shows which Autopilot settings were configured.

1: SkipCortanaOptIn
2: OobeUserNotLocalAdmin
4: SkipExpressSettings
8: SkipOemRegistration
16: SkipEula

CloudAssignedDomainJoinMethod

(Number, required)
This property specifies whether the device should join Azure AD or Active Directory
(hybrid Azure AD join).

0: Azure AD-joined
1: Hybrid Azure AD-joined

CloudAssignedForcedEnrollment

(Number, required)

Specifies that the device should require Azure AD join and MDM enrollment.

0: Not required
1: required

ZtdCorrelationId

(GUID, required)

A unique GUID (without braces) that's provided to Intune as part of the registration
process. This ID is included in the enrollment message as the
OfflineAutopilotEnrollmentCorrelator . This attribute is present only if enrollment

happens on a device registered with Zero Touch Provisioning via offline registration.

CloudAssignedAadServerData
(Encoded JSON string, required)

An embedded JSON string used for branding. It requires that you enable Azure AD
organization branding.

For example:

"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":

{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft
.com\"}}

CloudAssignedDeviceName

(String, optional)

The name that's automatically assigned to the computer. This name follows the naming
pattern convention configured in the Intune Autopilot profile. You can also specify an
explicit name to use.

Create the JSON file

Save the Autopilot profile as a JSON file in ASCII or ANSI format. Windows PowerShell
defaults to Unicode format. So, if you redirect output of the commands to a file, also
specify the file format. The following PowerShell example saves the file in ASCII format.
The Autopilot profile(s) appears in a subfolder under the folder specified by the
$targetDirectory variable. By default, the $targetDirectory variable is C:\AutoPilot ,

but it can be changed to another location if desired. The subfolder has the name of the
Autopilot profile from Intune. If there are multiple Autopilot profiles, each profile has its
own subfolder. In each folder, there's a JSON file named
AutopilotConfigurationFile.json

PowerShell

Connect-MgGraph -Scopes "Device.ReadWrite.All",

"DeviceManagementManagedDevices.ReadWrite.All",
"DeviceManagementServiceConfig.ReadWrite.All", "Domain.ReadWrite.All",
"Group.ReadWrite.All", "GroupMember.ReadWrite.All", "User.Read"
$AutopilotProfile = Get-AutopilotProfile
$targetDirectory = "C:\Autopilot"
$AutopilotProfile | ForEach-Object {
New-Item -ItemType Directory -Path "$targetDirectory\$($_.displayName)"
$_ | ConvertTo-AutopilotConfigurationJSON | Set-Content -Encoding Ascii
"$targetDirectory\$($_.displayName)\AutopilotConfigurationFile.json"
}

 Tip

If you use the PowerShell cmdlet Out-File to redirect the JSON output to a file, it
uses Unicode encoding by default. This cmdlet may also truncate long lines. Use
the Set-Content cmdlet with the -Encoding ASCII parameter to set the proper text
encoding.

） Important

The file name has to be AutopilotConfigurationFile.json and encoded as ASCII or

ANSI.

You can also save the profile to a text file and edit in Notepad. In Notepad, when you
choose Save as, select the save as type: All Files, and then choose ANSI for the
Encoding.

After you save the file, move it to a location for a Microsoft Configuration Manager
package source.

） Important

The configuration file can only contain one profile. You can use multiple JSON
profile files, but each one must be named AutopilotConfigurationFile.json . This
requirement is for OOBE to follow the Autopilot experience. To use more than one
Autopilot profile, create separate Configuration Manager packages.

If you save the file with Unicode or UTF-8 encoding, or save it with a different file
name, the Windows OOBE won't follow the Autopilot experience.

Create a package containing the JSON file

1. In the Configuration Manager console, go to the Software Library workspace,
expand Application Management, and select the Packages node.

2. On the ribbon, select Create Package.

 3. In the Create Package and Program Wizard, enter the following details for the
package:

Name: Autopilot for existing devices config

Select This package contains source files
Source folder: Specify the UNC network path that contains the
AutopilotConfigurationFile.json file

For more information, see Packages and programs in Configuration Manager.

4. For the program, select the Program Type: Don't create a program

5. Complete the wizard.

７ Note

If you change user-driven Autopilot profile settings in Intune at a later date, make
sure to update the JSON file. Then redistribute the associated Configuration
Manager package.

Create a target collection

７ Note

You can also choose to reuse an existing collection.

1. In the Configuration Manager console, go to the Assets and Compliance

workspace, and select the Device Collections node.

2. On the ribbon, select Create, and then choose Create Device Collection.

3. In the Create Device Collection Wizard, enter the following General details:

Name: Autopilot for existing devices collection

Comment: Add an optional comment to further describe the collection

Limiting collection: All Systems

７ Note
 You can optionally choose to use an alternative collection for the limiting
collection. The device to be upgraded must be running the
Configuration Manager client in the collection that you select.

4. On the Membership Rules page, select Add Rule. Specify either a direct or query-
based collection rule to add the target Windows devices to the new collection.

For example, if the hostname of the computer to be wiped and reloaded is PC-01
and you want to use Name as the attribute:

a. Select Add Rule, select Direct Rule to open the Create Direct Membership Rule
Wizard, and select Next on the Welcome page.

b. On the Search for Resources page, enter PC-01 as the Value.

c. Select Next, and select PC-01 in the Resources.

 5. Complete the wizard with the default settings.

For more information, see How to create collections in Configuration Manager.

Create a task sequence

1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems and select the Task Sequences node.

2. On the Home ribbon, select Create Task Sequence.

3. On the Create new task sequence page, select the option to Deploy Windows
Autopilot for existing devices.

4. On the Task sequence information page, specify the following information:

A name for the task sequence. For example, Autopilot for existing devices.
Optionally add a description to better describe the task sequence.
Select a boot image. For more information on supported boot image
versions, see Support for the Windows ADK in Configuration Manager.

5. On the Install Windows page, select the Windows Image package. Then configure
the following settings:
 Image index: Select either Enterprise, Education, or Professional, as required
by your organization.

Enable the option to Partition and format the target computer before
installing the operating system.

Configure task sequence for use with Bitlocker: If you enable this option, the
task sequence includes the steps necessary to enable BitLocker.

Product key: If you need to specify a product key for Windows activation,
enter it here.

Select one of the following options to configure the local administrator

account in Windows:
Randomly generate the local administrator password and disable the
account on all support platforms (recommended)
Enable the account and specify the local administrator password

6. On the Configure Network page, select the option to Join a workgroup.

） Important

The Autopilot for existing devices task sequence runs the Prepare Windows
for capture step, which uses the Windows System Preparation Tool (Sysprep).
This action fails if the device is joined to a domain.

Sysprep runs with the /Generalize parameter, which on Windows 10 version

1909 deletes the Autopilot profile file. The device then boots into the OOBE
phase instead of Autopilot. To fix this issue, see Windows Autopilot - known
issues: Windows Autopilot for existing devices doesn't work for Windows
10, version 1903 or 1909.

7. On the Install Configuration manager page, add any necessary installation

properties for your environment.

 Tip

The task sequence only needs this information if the Configuration Manager
client components are needed during the task sequence before Sysprep runs.
For example, to install software updates or applications. If you're not doing
these actions, the client isn't needed. It's uninstalled before the task sequence
runs Sysprep.
 8. The Include updates page selects by default the option to Do not install any
software updates.

 Tip

Use offline image servicing to keep the image up to date with the latest
Windows cumulative updates. For more information, see Apply software
updates to an image.

9. On the Install applications page, you can select applications to install during the
task sequence. However, Microsoft recommends that you mirror the signature
image approach with this scenario. After the device provisions with Autopilot,
apply all applications and configurations from Microsoft Intune or Configuration
Manager co-management. This process provides a consistent experience between
users receiving new devices and those using Windows Autopilot for existing
devices.

10. On the System Preparation page, select the package that includes the Autopilot
configuration file. By default, the task sequence restarts the computer after it runs
Windows Sysprep. You can also select the option to Shutdown computer after this
task sequence completes. This option lets you prepare a device and then deliver it
to a user for a consistent Autopilot experience.

11. Complete the wizard.

The Windows Autopilot for existing devices task sequence results in a device joined to
Azure AD.

For more information on creating the task sequence, including information on other
wizard options, see Create a task sequence to install an OS.

If you edit the task sequence, it's similar to the default task sequence to apply an
existing OS image. This task sequence includes the following extra steps:

Apply Windows Autopilot configuration: This step applies the Autopilot

configuration file from the specified package. It's not a new type of step, it's a Run
Command Line step to copy the file.

Prepare Windows for Capture: This step runs Windows Sysprep, and has the
setting to Shutdown the computer after running this action. For more
information, see Prepare Windows for Capture.
For more information on editing the task sequence, see Use the task sequence editor
and Task sequence steps.

７ Note

The Prepare Windows for Capture step deletes the

AutopilotConfigurationFile.json file. For more information and a workaround, see

Windows Autopilot - known issues: Windows Autopilot for existing devices

doesn't work for Windows 10, version 1903 or 1909.

To make sure the user's data is backed up before the Windows 10 upgrade, use
OneDrive for Business known folder move.

Distribute content to distribution points

Next distribute all content required for the task sequence to distribution points.

1. Select the Autopilot for existing devices task sequence, and in the ribbon select
Distribute Content.

2. On the Specify the content destination page, select Add to specify either a
Distribution Point or Distribution Point Group.

3. Specify content destinations that let the devices get the content.

4. When you're finished specifying content distribution, complete the wizard.

For more information, see Manage task sequences to automate tasks.

Deploy the Autopilot task sequence

1. Select the Autopilot for existing devices task sequence, and in the ribbon select
Deploy.

2. In the Deploy Software Wizard, specify the following details:

General

Task Sequence: Autopilot for existing devices

Collection: Autopilot for existing devices collection

Deployment Settings
 Action: Install.

Purpose: Available. You can optionally select Required instead of Available.

A required purpose isn't recommended during testing.

Make available to the following: Only Configuration Manager Clients.

７ Note

Choose the option here that is relevant for the context of your test. If
the target client doesn't have the Configuration Manager agent or
Windows installed, you must select an option that includes PXE or
Boot Media.

Scheduling
Set a time for when this deployment becomes available

User Experience
Select Show Task Sequence progress

Distribution Points
Deployment options: Download content locally when needed by the
running task sequence

3. Complete the wizard.

Complete the deployment process

1. On the target Windows device, go to the Start menu, type Software Center , and
open it.

2. In the Software Library, under Operating Systems, select Autopilot for existing
devices, and then select Install. For example:
The task sequence runs and does the following actions:

1. Download content

2. Restart the device

3. Format the drive

4. Install Windows from the specified OS image

5. Prepare for Autopilot

6. After the task sequence completes, the device boots into OOBE for the Autopilot
experience:
 ７ Note

If you need to join devices to Active Directory for hybrid Azure AD join scenario,
create a Domain Join device configuration profile. Target the profile to All Devices,
since there's no Azure AD device object for the computer to do group-based
targeting. For more information, see User-driven mode for hybrid Azure Active
Directory join.

Register the device for Windows Autopilot

Devices provisioned with Autopilot only receive the guided OOBE Autopilot experience
on first boot.

After you update Windows on an existing device, make sure to register the device so it
has the Autopilot experience when the PC resets. You can enable automatic registration
for a device by using the Convert all targeted devices to Autopilot setting in the
Autopilot profile that is assigned to a group that the device is a member of. For more
information, see Create an Autopilot deployment profile.

Also see Adding devices to Windows Autopilot.

How to speed up the deployment process
To remove around 20 minutes from the deployment process, see Michael Niehaus's blog
with instructions for Speeding up Windows Autopilot for existing devices.
Refresh an existing computer with a
new version of Windows
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use Configuration Manager to partition and format an existing computer and then
install a new OS. This process is sometimes called reimaging or wipe and load. For this
scenario, choose from many different deployment methods, such as PXE, bootable
media, or Software Center. You can also use a state migration point to store settings,
and then restore them to the new OS.

To choose the right OS deployment scenario, see Scenarios to deploy enterprise

operating systems.

Plan

Plan for and implement infrastructure requirements

There are several infrastructure requirements that must be in place before you can
deploy an OS. Some of these requirements include the Windows ADK, the User State
Migration Tool (USMT), and Windows Deployment Services (WDS). For more
information, see Infrastructure requirements for OS deployment.

Install a state migration point

If you want to capture settings from an existing computer, and then restore the settings
to the new OS, consider using a state migration point. For more information, see State
migration point.

Configure

Prepare a boot image

Boot images start a computer in a Windows PE environment. Windows PE is a minimal
OS with limited components and services. From Windows PE, Configuration Manager
can then install a full Windows OS on the computer.
For more information, see the following articles:

Manage boot images

Customize boot images

Distribute content

Prepare an OS image
The OS image contains the files necessary to install the OS on the destination computer.

For more information, see the following articles:

Manage OS images

Distribute content

Create a task sequence to deploy an OS

Use a task sequence to automate the installation of the OS. Depending on the
deployment method that you choose, there might be additional considerations for the
task sequence.

For more information, see the following articles:

Create a task sequence to install an OS

Manage user state

Deploy
Use one of the following deployment methods to deploy the OS:

Use PXE to deploy Windows over the network

Use multicast to deploy Windows over the network

Create an image for an OEM in factory or a local depot

Use stand-alone media to deploy Windows without using the network

Use bootable media to deploy Windows over the network

Use Software Center to deploy Windows over the network

Monitor
For more information, see Monitor OS deployments.

７ Note

When you reimage a UEFI device, Windows Boot Manager creates a new entry in
the boot loader. This behavior is most noticeable when you repeatedly reimage a
device, such as in a test environment or a student lab. It generally doesn't impact
the performance or usage of the device. If the list gets too large, some specific
hardware devices may encounter functional issues. For example, not booting to an
external USB drive, or not able to select the current boot entry from the list. Use the
Windows bcdedit command to clear unused boot entries. For more information,
see BCDEdit /deletevalue.
Install a new version of Windows on a
new computer (bare metal) with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic provides the general steps in Configuration Manager to install an operating
system on a new computer. For this scenario, you can choose from many different
deployment methods, such as PXE, OEM, or stand-alone media. If you are unsure that
this is the right operating system deployment scenario for you, see Scenarios to deploy
enterprise operating systems.

Use the following sections to refresh an existing computer with a new version of
Windows.

Plan
Plan for and implement infrastructure requirements

There are several infrastructure requirements that must be in place before you can
deploy operating systems, such as Windows ADK, Windows Deployment Services
(WDS), supported hard disk configurations, etc. For more information, see
Infrastructure requirements for operating system deployment.

Configure
1. Prepare a boot image

Boot images start a computer in a Windows PE environment (a minimal operating

system with limited components and services) that can then install a full Windows
operating system on the computer. When you deploy operating systems, you must
select a boot image to use and distribute the image to a distribution point. Use the
following to prepare the boot image:

To learn more about boot images, see Manage boot images.

For more information about how to customize a boot image, see Customize
boot images.
 Distribute the boot image to distribution points. For more information, see
Distribute content.

2. Prepare an operating system image

The operating system image contains the files necessary to install the operating
system on the destination computer. Use the following to prepare the operating
system image:

To learn more about how to create an operating system image, see Manage
operating system images.

Distribute the operating system image to distribution points. For more

information, see Distribute content.

７ Note

New installations of Windows can also be performed from installation source

files via OS upgrade packages, but use OS images such as install.wim instead.

Deploying new installations of Windows via OS upgrade packages is still

supported, but is dependent on drivers being compatible with this method.
When installing Windows from an OS upgrade package, drivers are installed
while still in Windows PE versus simply being injected while in Windows PE.
Some drivers are not compatible with being installed while in Windows PE. If
drivers are not compatible with being installed while in Windows PE, then use
an OS image instead.

3. Create a task sequence to deploy operating systems over the network

Use a task sequence to automate the installation of the operating system over the
network. Use the steps in Create a task sequence to install an operating system to
create the task sequence to deploy the operating system. Depending on the
deployment method that you choose, there might be additional considerations for
the task sequence.

Deploy
Use one of the following deployment methods to deploy the operating system:

Use PXE to deploy Windows over the network

Use multicast to deploy Windows over the network

 Create an image for an OEM in factory or a local depot

Use stand-alone media to deploy Windows without using the network

Use bootable media to deploy Windows over the network

Monitor
Monitor the task sequence deployment

To monitor the task sequence deployment to install the operating system, see
Monitor operating system deployments.
Replace an existing computer and
transfer settings with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic provides the general steps in Configuration Manager to replace an existing
computer with a new computer. For this scenario, you can choose from many different
deployment methods, such as bootable media, multicast, or Software Center. You can
also choose to install a state migration point to store settings and then restore them to
the new operating system after it is installed. If you are unsure that this is the right
operating system deployment scenario for you, see Scenarios to deploy enterprise
operating systems.

Use the following sections to refresh an existing computer with a new version of
Windows.

Plan
Plan for and implement infrastructure requirements

There are several infrastructure requirements that must be in place before you can
deploy operating systems, such as Windows ADK, User State Migration Tool
(USMT), Windows Deployment Services (WDS), supported hard disk configurations,
etc. For more information, see Infrastructure requirements for operating system
deployment

Install a state migration point (required only if you transfer settings)

When you are going to capture settings from the existing computer, and then
restore the settings to the new operating system, you must install a state migration
point. For more information, see State migration point.

Configure
1. Prepare a boot image

Boot images start a computer in a Windows PE environment (a minimal operating

system with limited components and services) that can then install a full Windows
 operating system on the computer. When you deploy operating systems, you must
select a boot image to use and distribute the image to a distribution point. Use the
following to prepare the boot image:

To learn more about boot images, see Manage boot images.

For more information about how to customize a boot image, see Customize
boot images.

Distribute the boot image to distribution points. For more information, see
Distribute content.

2. Prepare an operating system image

The operating system image contains the files necessary to install the operating
system on the destination computer. Use the following to prepare the operating
system image:

To learn more about how to create an operating system image, see Manage
operating system images.

Distribute the operating system image to distribution points. For more

information, see Distribute content.

3. Create a task sequence to deploy operating systems over the network

Use a task sequence to automate the installation of the operating system over the
network. Use the steps in Create a task sequence to install an operating system to
create the task sequence to deploy the operating system. Depending on the
deployment method that you choose, there might be additional considerations for
the task sequence.

７ Note

In this scenario, if you capture and restore user settings and files, you can
choose to use a state migration point or save the files locally. For more
information, see Manage user state.

Deploy
Use one of the following deployment methods to deploy the operating system:

Use Software Center to deploy Windows over the network

 Use bootable media to deploy Windows over the network

Use multicast to deploy Windows over the network

Create an image for an OEM in factory or a local depot

Monitor
Monitor the task sequence deployment

To monitor the task sequence deployment to install the operating system, see
Monitor operating system deployments.
Security and privacy for OS deployment
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for the OS deployment feature in
Configuration Manager.

Security best practices for OS deployment

Use the following security best practices for when you deploy operating systems with
Configuration Manager:

Implement access controls to protect bootable media

When you create bootable media, always assign a password to help secure the media.
Even with a password, it only encrypts files that contain sensitive information, and all
files can be overwritten.

Control physical access to the media to prevent an attacker from using cryptographic
attacks to obtain the client authentication certificate.

To help prevent a client from installing content or client policy that has been tampered
with, the content is hashed and must be used with the original policy. If the content
hash fails or the check that the content matches the policy, the client won't use the
bootable media. Only the content is hashed. The policy isn't hashed, but it's encrypted
and secured when you specify a password. This behavior makes it more difficult for an
attacker to successfully modify the policy.

Use a secure location when you create media for OS

images
If unauthorized users have access to the location, they can tamper with the files that you
create. They can also use all the available disk space so that the media creation fails.

Protect certificate files

Protect certificate files (.pfx) with a strong password. If you store them on the network,
secure the network channel when you import them into Configuration Manager

When you require a password to import the client authentication certificate that you use
for bootable media, this configuration helps to protect the certificate from an attacker.

Use SMB signing or IPsec between the network location and the site server to prevent
an attacker from tampering with the certificate file.

Block or revoke any compromised certificates

If the client certificate is compromised, block the certificate from Configuration
Manager. If it's a PKI certificate, revoke it.

To deploy an OS by using bootable media and PXE boot, you must have a client
authentication certificate with a private key. If that certificate is compromised, block the
certificate in the Certificates node in the Administration workspace, Security node.

Secure the communication channel between the site

server and the SMS Provider
When the SMS Provider is remote from the site server, secure the communication
channel to protect boot images.

When you modify boot images and the SMS Provider is running on a server that isn't
the site server, the boot images are vulnerable to attack. Protect the network channel
between these computers by using SMB signing or IPsec.

Enable distribution points for PXE client communication

only on secure network segments
When a client sends a PXE boot request, you have no way to make sure that the request
is serviced by a valid PXE-enabled distribution point. This scenario has the following
security risks:

A rogue distribution point that responds to PXE requests could provide a tampered
image to clients.

An attacker could launch a man-in-the-middle attack against the TFTP protocol

that is used by PXE. This attack could send malicious code with the OS files. The
attacker could also create a rogue client to make TFTP requests directly to the
distribution point.
 An attacker could use a malicious client to launch a denial of service attack against
the distribution point.

Use defense in depth to protect the network segments where clients access PXE-
enabled distribution points.

２ Warning

Because of these security risks, don't enable a distribution point for PXE
communication when it's in an untrusted network, such as a perimeter network.

Configure PXE-enabled distribution points to respond to

PXE requests only on specified network interfaces
If you allow the distribution point to respond to PXE requests on all network interfaces,
this configuration might expose the PXE service to untrusted networks

Require a password to PXE boot

When you require a password for PXE boot, this configuration adds an extra level of
security to the PXE boot process. This configuration helps safeguard against rogue
clients joining the Configuration Manager hierarchy.

Restrict content in OS images used for PXE boot or

multicast
Don't include line-of-business applications or software that contains sensitive data in an
image that you use for PXE boot or multicast.

Because of the inherent security risks involved with PXE boot and multicast, reduce the
risks if a rogue computer downloads the OS image.

Restrict content installed by task sequence variables

Don't include line-of-business applications or software that contains sensitive data in
packages of applications that you install by using task sequences variables.

When you deploy software by using task sequences variables, it might be installed on
computers and to users who aren't authorized to receive that software.
Secure the network channel when migrating user state
When you migrate user state, secure the network channel between the client and the
state migration point by using SMB signing or IPsec.

After the initial connection over HTTP, user state migration data is transferred by using
SMB. If you don't secure the network channel, an attacker can read and modify this data.

Use the latest version of USMT

Use the latest version of the User State Migration Tool (USMT) that Configuration
Manager supports.

The latest version of USMT provides security enhancements and greater control for
when you migrate user state data.

Manually delete folders on state migration points when

you decommission them
When you remove a state migration point folder in the Configuration Manager console
on the state migration point properties, the site doesn't delete the physical folder. To
protect the user state migration data from information disclosure, manually remove the
network share and delete the folder.

Don't configure the deletion policy to immediately delete

user state
If you configure the deletion policy on the state migration point to immediately remove
data that's marked for deletion, and if an attacker manages to retrieve the user state
data before the valid computer does, the site immediately deletes the user state data.
Set the Delete after interval to be long enough to verify the successful restore of user
state data.

Manually delete computer associations

Manually delete computer associations when the user state migration data restore is
complete and verified.

Configuration Manager doesn't automatically remove computer associations. Help to

protect the identity of user state data by manually deleting computer associations that
are no longer required.
Manually back up the user state migration data on the
state migration point
Configuration Manager Backup doesn't include the user state migration data in the site
backup.

Implement access controls to protect the prestaged

media
Control physical access to the media to prevent an attacker from using cryptographic
attacks to obtain the client authentication certificate and sensitive data.

Implement access controls to protect the reference

computer imaging process
Make sure the reference computer you use to capture OS images is in a secure
environment. Use appropriate access controls so that unexpected or malicious software
can't be installed and inadvertently included in the captured image. When you capture
the image, make sure the destination network location is secure. This process helps
make sure the image can't be tampered with after you capture it.

Always install the most recent security updates on the

reference computer
When the reference computer has current security updates, it helps to reduce the
window of vulnerability for new computers when they first start up.

Implement access controls when deploying an OS to an

unknown computer
If you must deploy an OS to an unknown computer, implement access controls to
prevent unauthorized computers from connecting to the network.

Provisioning unknown computers provides a convenient method to deploy new

computers on demand. But it can also allow an attacker to efficiently become a trusted
client on your network. Restrict physical access to the network, and monitor clients to
detect unauthorized computers.

Computers responding to a PXE-initiated OS deployment might have all data destroyed

during the process. This behavior could result in a loss of availability of systems that are
inadvertently reformatted.

Enable encryption for multicast packages

For every OS deployment package, you can enable encryption when Configuration
Manager transfers the package by using multicast. This configuration helps prevent
rogue computers from joining the multicast session. It also helps prevent attackers from
tampering with the transmission.

Monitor for unauthorized multicast-enabled distribution

points
If attackers can gain access to your network, they can configure rogue multicast servers
to spoof OS deployment.

When you export task sequences to a network location,

secure the location and secure the network channel
Restrict who can access the network folder.

Use SMB signing or IPsec between the network location and the site server to prevent
an attacker from tampering with the exported task sequence.

If you use the task sequence run as account, take

additional security precautions
If you use the task sequence run as account, take the following precautionary steps:

Use an account with the least possible permissions.

Don't use the network access account for this account.

Never make the account a domain administrator.

Never configure roaming profiles for this account. When the task sequence runs, it
downloads the roaming profile for the account, which leaves the profile vulnerable
to access on the local computer.

Limit the scope of the account. For example, create different task sequence run as
accounts for each task sequence. If one account is compromised, only the client
computers to which that account has access are compromised. If the command
line requires administrative access on the computer, consider creating a local
 administrator account solely for the task sequence run as account. Create this local
account on all computers that run the task sequence, and delete the account as
soon as it's no longer required.

Restrict and monitor the administrative users who are

granted the OS deployment manager security role
Administrative users who are granted the OS deployment manager security role can
create self-signed certificates. These certificates can then be used to impersonate a
client and obtain client policy from Configuration Manager.

Use Enhanced HTTP to reduce the need for a network

access account
Starting in version 1806, when you enable Enhanced HTTP, several OS deployment
scenarios don't require a network access account to download content from a
distribution point. For more information, see Task sequences and the network access
account.

Security issues for OS deployment

Although OS deployment can be a convenient way to deploy the most secure operating
systems and configurations for computers on your network, it does have the following
security risks:

Information disclosure and denial of service

If an attacker can obtain control of your Configuration Manager infrastructure, they
could run any task sequences. This process might include formatting the hard drives of
all client computers. Task sequences can be configured to contain sensitive information,
such as accounts that have permissions to join the domain and volume licensing keys.

Impersonation and elevation of privileges

Task sequences can join a computer to domain, which can provide a rogue computer
with authenticated network access.

Protect the client authentication certificate that's used for bootable task sequence
media and for PXE boot deployment. When you capture a client authentication
certificate, this process gives an attacker an opportunity to obtain the private key in the
certificate. This certificate lets them impersonate a valid client on the network. In this
scenario, the rogue computer can download policy, which can contain sensitive data.

If clients use the network access account to access data stored on the state migration
point, these clients effectively share the same identity. They could access state migration
data from another client that uses the network access account. The data is encrypted so
only the original client can read it, but the data could be tampered with or deleted.

Client authentication to the state migration point is

achieved by using a Configuration Manager token that is
issued by the management point.
Configuration Manager doesn't limit or manage the amount of data that's stored on the
state migration point. An attacker could fill up the available disk space and cause a
denial of service.

If you use collection variables, local administrators can

read potentially sensitive information
Although collection variables offer a flexible method to deploy operating systems, this
feature might result in information disclosure.

Privacy information for OS deployment

In addition to deploying an OS to computers without one, Configuration Manager can
be used to migrate users' files and settings from one computer to another. The
administrator configures which information to transfer, including personal data files,
configuration settings, and browser cookies.

Configuration Manager stores the information on a state migration point, and encrypts
it during transmission and storage. Only the new computer associated with the state
information can retrieve the stored information. If the new computer loses the key to
retrieve the information, a Configuration Manager administrator with the View Recovery
Information right on computer association instance objects can access the information
and associate it with a new computer. After the new computer restores the state
information, it deletes the data after one day, by default. You can configure when the
state migration point removes data marked for deletion. Configuration Manager doesn't
store the state migration information in the site database, and doesn't send it to
Microsoft.
If you use boot media to deploy OS images, always use the default option to password-
protect the boot media. The password encrypts any variables stored in the task
sequence, but any information not stored in a variable might be vulnerable to
disclosure.

OS deployment can use task sequences to perform many different tasks during the
deployment process, which includes installing applications and software updates. When
you configure task sequences, you should also be aware of the privacy implications of
installing software.

Configuration Manager doesn't implement OS deployment by default. It requires several

configuration steps before you collect user state information or create task sequences or
boot images.

Before you configure OS deployment, consider your privacy requirements.

See also
Diagnostics and usage data

Security and privacy for Configuration Manager

Plan for OS deployment interoperability
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When different Configuration Manager sites in a single hierarchy use different versions,
some Configuration Manager functionality isn't available. Typically, functionality from
the newer version of Configuration Manager isn't accessible at sites or by clients that
run a lower version. For more information, see Interoperability between different
versions of Configuration Manager.

Objects
Consider the following objects when you upgrade the top-level site in your hierarchy
and other sites in your hierarchy run Configuration Manager with a lower version:

Client installation package

The source for the default client installation package is automatically upgraded. All
distribution points in the hierarchy are updated with the new client installation
package. This behavior happens even on distribution points at sites in the
hierarchy that are at a lower version.

You can't assign new version clients to sites that you haven't yet upgraded to the
new version. Assignment is blocked at the management point.

Boot images
When you upgrade the top-level site to the latest version of Configuration
Manager, it automatically updates the default boot images (x86 and x64). The
update uses the version of the Windows ADK and Windows PE that you've
installed. The files that are associated with the default boot images are updated
with the latest Configuration Manager version of the files. The site doesn't
automatically update custom boot images. You need to manually update custom
boot images, which include older Windows PE versions.

When your site hierarchy contains sites with different versions of Configuration
Manager, avoid the use of dynamic media. Instead, use site-based media to
contact a specific management point. After you update all sites to the same
version of Configuration Manager, you can use dynamic media again.
 Verify that the latest Configuration Manager boot images include your
customizations. Then update all distribution points at the new version sites with
the latest version of the new boot images.

User State Migration Tool (USMT)

When you upgrade the top-level site to the latest version of Configuration Manager, it
automatically updates the default USMT package to the latest version. It doesn't
automatically update any custom USMT packages. You need to manually update these
packages.

New task sequence steps

Periodically, new task sequence steps are introduced with new versions of Configuration
Manager. When you deploy a task sequence with a new step to older clients, the task
sequence step fails. Before you deploy a task sequence with a new step, make sure the
clients in the target collection are updated to the new version.

OS deployment media
When the site is updated to a new version, update all media with the new Configuration
Manager client package. These media types include bootable, capture, prestaged, and
stand-alone.

Third-party extensions to OS deployment

When you have third-party extensions to OS deployment and you have different
versions of Configuration Manager sites or Configuration Manager clients, there might
be issues with the extensions.

Latest version of Configuration Manager sites

in a mixed hierarchy
When you upgrade a site to latest version of Configuration Manager, task sequences
that reference the default client installation package automatically start to deploy the
latest Configuration Manager client version.

Task sequences that reference a custom client installation package continue to deploy
the version of the client that's contained in that custom package. Custom packages
likely include an earlier version of the Configuration Manager client. To avoid task
sequence deployment failures, update any custom client installation packages to the
latest version.

When you configure a task sequence to use a custom client installation package, do one
of the following actions:

Update the task sequence step to use the latest Configuration Manager version of
the client installation package
Update the custom package to use the latest Configuration Manager client
installation source

） Important

Don't deploy a task sequence that references the latest Configuration Manager
client installation package to clients in an older Configuration Manager site. When
clients assigned to an older Configuration Manager site are upgraded to the latest
Configuration Manager client version, Configuration Manager blocks the
assignment to the older Configuration Manager site. These clients are no longer
assigned to any site. Until you manually assign the client to the latest Configuration
Manager site, or reinstall the older Configuration Manager version of the client on
the computer, these clients are unmanaged.

Older versions of Configuration Manager in a

mixed hierarchy
When you upgrade your central administration site to the latest version of Configuration
Manager, make sure that OS deployment task sequences that you deploy don't leave
those clients in an unmanaged state. For example, if you deploy to clients assigned to an
older Configuration Manager site that you haven't yet upgraded to the latest version of
Configuration Manager.

Make a copy of a task sequence that you use to deploy to clients in the latest version of
Configuration Manager site. Then modify the task sequence so you can deploy it to
clients in an older Configuration Manager site. Configure the task sequence to reference
a custom client installation package that uses the older Configuration Manager client
installation source. If you don't already have a custom client installation package that
references the older Configuration Manager client installation source, manually create
one.

Next steps
Interoperability between different versions of Configuration Manager

Prepare site system roles for OS deployments

Prepare site system roles for OS
deployments with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To deploy operating systems in Configuration Manager, first prepare the following site
system roles that require specific configurations and considerations.

Distribution points
The distribution point site system role hosts source files for clients to download. This
content is for applications, software updates, OS images, boot images, and driver
packages. Control content distribution by using bandwidth, throttling, and scheduling
options.

It's important that you have enough distribution points to support the deployment of
operating systems to computers. It's also important that you plan for the placement of
these distribution points in your hierarchy. For more information, see Manage content
and content infrastructure. This article includes more planning considerations for
distribution points specific to OS deployment.

Additional planning considerations for distribution points

How can I prevent unwanted OS deployments?

Configuration Manager doesn't distinguish site servers from other destination

computers in a collection. If you deploy a required task sequence to a collection that
includes a site server, it runs the task sequence the same way as any other computer in
the collection. Make sure that your OS deployment uses a collection that includes the
intended clients.

Manage the behavior for high-risk task sequence deployments. A high-risk deployment
automatically installs on a client and has the potential to cause unwanted results. For
example, a task sequence with a purpose of required that deploys an OS. To reduce the
risk of an unwanted high-risk deployment, configure deployment verification settings.
For more information, see Settings to manage high-risk deployments.
How many computers can receive an OS image at one time from a
single distribution point?

To estimate how many distribution points you need, consider the following variables:

The processing speed of the distribution point

The disk speed of the distribution point
The available bandwidth on the network
The size of the image package

For example, if you don't consider any other server resource factors, the maximum
number of computers that can process a 4-GB image package in one hour on a 100-
megabit/sec Ethernet network is 11 computers.

100 megabits/sec = 12.5 megabytes/sec = 750 megabytes/min = 45 gigabytes/hour = 11

images @ 4 GB per image

If you must deploy an OS to a specific number of computers within a specific time

frame, distribute the image to an appropriate number of distribution points.

Can I deploy an OS to a distribution point?

You can deploy an OS to a distribution point, but the OS image must be received from a
different distribution point.

Configuring distribution points to accept PXE requests

To deploy operating systems to Configuration Manager clients that make PXE boot
requests, configure one or more distribution points to accept PXE requests. Once you
configure the distribution point, it responds to PXE boot requests and determines the
appropriate deployment action to take. For more information, see Install or modify a
distribution point.

Customize the RamDisk TFTP block and window sizes on

PXE-enabled distribution points
You can customize the RamDisk TFTP block and window sizes for PXE-enabled
distribution points. If you've customized your network, a large block or window size
could cause the boot image download to fail with a time-out error. The RamDisk TFTP
block and window size customizations allow you to optimize TFTP traffic when using PXE
to meet your specific network requirements. To determine what configuration is most
efficient, test the customized settings in your environment.
 TFTP block size: The block size is the size of the data packets that the server sends
to the client that is downloading the file. A larger block size allows the server to
send fewer packets, so there are fewer round-trip delays between the server and
the client. However, a large block size leads to fragmented packets, which most
PXE client implementations don't support.

TFTP window size: TFTP requires an acknowledgment (ACK) packet for each block
of data that is sent. The server doesn't send the next block in the sequence until it
receives the ACK packet for the previous block. TFTP windowing enables you to
define how many data blocks it takes to fill a window. The server sends the data
blocks back-to-back until the window is filled, and then the client sends an ACK
packet. If you increase this window size, it reduces the number of round-trip delays
between the client and server, and it decreases the overall required time to
download a boot image.

Modify the RamDisk TFTP window size

To customize the RamDisk TFTP window size, add the following registry key on PXE-
enabled distribution points:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPWindowSize
Type: REG_DWORD
Value: (customized window size)
The default value is 1 (one data block fills the
window).

Modify the RamDisk TFTP block size

To customize the RamDisk TFTP window size, add the following registry key on PXE-
enabled distribution points:

Location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name: RamDiskTFTPBlockSize
Type: REG_DWORD
Value: (customized block size)
The default value is 4096 .

７ Note

Both Windows Deployment Services and the Configuration Manager PXE responder
service support these TFTP configurations.
Configure distribution points to support multicast
Multicast is a network optimization method. Use it on distribution points when multiple
clients are likely to download the same OS image at the same time. When you use
multicast, multiple computers can simultaneously download the OS image as it's
multicast by the distribution point. Without multicast, the distribution point sends a
copy of the data to each client over a separate connection. For more information, see
Use multicast to deploy Windows over the network.

Before you deploy the OS, configure a distribution point to support multicast. For more
information, see Install and configure distribution points.

State migration point

The state migration point stores user state data that USMT captures on one computer,
and then restores on another computer. However, when you capture user settings for an
OS deployment on the same computer, such as a deployment where you refresh
Windows on the destination computer, you can choose whether to store the data on the
same computer by using hard-links or use a state migration point. For some computer
deployments, when you create the state store, Configuration Manager automatically
creates an association between the state store and the destination computer. As you
plan for the state migration point, consider the following factors:

User state size

The size of the user state directly affects disk storage on the state migration point and
network performance during the migration. Consider the size of the user state and the
number of computers to migrate. Consider also what settings to migrate from the
computer. For example, if the My Documents folder is already backed up to a server,
then perhaps you don't have to migrate it as part of the image deployment. Avoiding
unnecessary migrations keeps the overall size of the user state smaller, and decreases
the effect it would otherwise have on network performance and disk storage on the
state migration point.

User State Migration Tool

To capture and restore the user state during the deployment of the operating systems,
use a User State Migration Tool (USMT) package that points to the USMT source files.
Configuration Manager automatically creates this package in the Configuration Manager
console in Software Library > Application Management > Packages. Configuration
Manager uses USMT to capture the user state from one OS and then restore it to
another. The Windows Assessment and Deployment Kit (ADK) for Windows includes
USMT.

For a description of different migration scenarios for USMT, see Common migration
scenarios in the Windows documentation.

Retention policy
When you configure the state migration point, specify the length of time to keep the
user state data that it stores. The length of time to keep the data on the state migration
point depends on two considerations:

The effect that the stored data has on disk storage.

The potential requirement to keep the data for a time in case you must migrate the
data again.

State migration occurs in two phases: capturing the data, and restoring the data. When
you capture data, the user state data is collected and saved to the state migration point.
When you restore the data, the user state data is retrieved from the state migration
point, written to the destination computer, and then the Release State Store task
sequence step releases the stored data. When the data is released, the retention timer
starts. If you select the option to delete migrated data immediately, the user state data
is deleted as soon as it's released. If you select the option to keep the data for a certain
period of time, the data is deleted when that period of time elapses after the state data
is released. The longer you set the retention period, the more disk space you're likely to
require.

Select drive to store user state migration data

When you configure the state migration point, specify the drive on the server to store
the user state migration data. You select a drive from a fixed list of drives. However,
some of these drives might represent non-writable drives, such as the CD drive, or a
non-network share drive. Some drive letters might not be mapped to any drives on the
computer. Specify a writable, shared drive when you configure the state migration point.

Configure a state migration point

Use the following methods to configure a state migration point to store the user state
data:
 Use the Create Site System Server Wizard to create a new site system server for
the state migration point.

Use the Add Site System Roles Wizard to add a state migration point to an
existing server.

When you use these wizards, you're prompted to provide the following information for
the state migration point:

The folders to store the user state data.

The maximum number of clients that can store data on the state migration point.

The minimum free space for the state migration point to store user state data.

The deletion policy for the role. Either specify that the user state data is deleted
immediately after it's restored on a computer, or after a specific number of days
after the user data is restored on a computer.

Whether the state migration point responds only to requests to restore user state
data. When you enable this option, you can't use the state migration point to store
user state data.

For the steps to install a site system role, see Add site system roles.

Next steps
Prepare for OS deployment
Prepare for OS deployment in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

There are several things you must do in Configuration Manager before you can deploy
operating systems. Use the following articles to prepare for OS deployment:

Manage boot images

Manage OS images

Manage OS upgrade packages

Manage drivers

Manage user state

Prepare for unknown computer deployments

Associate users with a destination computer

OS image size
OS images are large in size. For example, the image size for Windows 7 is 3 GB or more.
The size of the image and the number of computers to which you simultaneously deploy
the OS affects the network performance and available bandwidth. Make sure to test the
network performance. Testing the impact better gauges the effect the image
deployment might have and the time it takes to complete the deployment.
Configuration Manager activities that affect network performance include distributing
the image to a distribution point, distributing the image from one site to another, and
downloading the image to the client.

Also make sure that you plan for sufficient disk storage space on the distribution points
that host the OS images.

For more information, see Additional planning considerations for distribution points.

Client cache size

When Configuration Manager clients download content, they automatically use
Background Intelligent Transfer Service (BITS), if it's available. When you deploy a task
sequence that installs an OS, you can set an option on the deployment so that
Configuration Manager clients download the full image to a local cache before the task
sequence runs.

When a Configuration Manager client must download an OS image, but there isn't
enough space in the cache, the client can clear space in its cache. It checks the other
packages in the cache to determine whether deleting any of the oldest packages will
free enough disk space to accommodate the image. If deleting packages doesn't free
enough space, the client doesn't download the image, and the deployment fails. This
behavior might occur if the cache has a large package that you configure to persist in
the cache. If deleting packages does free enough disk space in the cache, the client
deletes them, and then downloads the image into the cache.

The default cache size on Configuration Manager clients might not be large enough for
most OS image deployments. If you plan to download the full image to the client cache,
adjust the client cache size on the destination computers to accommodate the size of
the image that you're deploying.

For more information, see Configure the client cache.

Manage boot images with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

A boot image in Configuration Manager is a Windows PE (WinPE) image that's used

during an OS deployment. Boot images are used to start a computer in WinPE. This
minimal OS contains limited components and services. Configuration Manager uses
WinPE to prepare the destination computer for Windows installation.

Default boot images

Configuration Manager provides two default boot images: One to support x86 platforms
and one to support x64 platforms. These images are stored in the x64 or i386 folders in
the following share on the site server: \\<SiteServerName>\SMS_<sitecode>\osd\boot\ .
The default boot images are updated or regenerated depending on the action that you
take.

Consider the following behaviors for any of the actions described for default boot
images:

The source driver objects must be valid. These objects include the driver source
files. If the objects aren't valid, the site doesn't add the drivers to the boot images.

Boot images that aren't based on the default boot images, even if they use the
same Windows PE version, aren't modified.

Redistribute the modified boot images to distribution points.

Recreate any media that uses the modified boot images.

If you don't want your customized/default boot images automatically updated,

don't store them in the default location.

７ Note

The Configuration Manager log tool (CMTrace) is added to all boot images in the
Software Library. When you're in Windows PE, start the tool by typing cmtrace
from the command prompt.
 CMTrace is the default viewer for log files in Windows PE.

Use updates and servicing to install the latest version of

Configuration Manager
When you upgrade the Windows Assessment and Deployment Kit (ADK) version, and
then use updates and servicing to install the latest version of Configuration Manager,
the site regenerates the default boot images. This update includes the new WinPE
version from the updated Windows ADK, the new version of the Configuration Manager
client, drivers, and customizations. The site doesn't modify custom boot images.

７ Note

The site always uses the production version of the Configuration Manager client in
default boot images. Even if you configure automatic client upgrades to use a pre-
production collection, that feature doesn't apply to boot images.

Upgrade from Configuration Manager 2012 to current

branch
When you upgrade Configuration Manager 2012 to current branch, the site regenerates
the default boot images. This update includes the new WinPE version from the updated
Windows ADK and the new version of the Configuration Manager client. All boot image
customizations remain unchanged. The site doesn't modify custom boot images.

Update distribution points with the boot image

When you use the Update Distribution Points action from the Boot Images node in the
console, the site updates the target boot image with the client components, drivers, and
customizations.

You can reload the boot image with the latest version of WinPE from the Windows ADK
installation directory. The General page of the Update Distribution Points wizard
provides the following information:

The current Windows ADK version installed on the site server

The current production client version
The Windows ADK version of WinPE in the boot image
The version of the Configuration Manager client in the boot image
If the versions in the boot image are out of date, use the option to Reload this boot
image with the current Windows PE version from the Windows ADK.

） Important

This action is available for both default and custom boot images. During this
process to reload the boot image, the site doesn't retain any manual
customizations made outside of Configuration Manager. These customizations
include third-party extensions. This option rebuilds the boot image using the latest
version of WinPE and the latest client version. Only the configurations that you
specify on the properties of the boot image are reapplied.

The Boot Images node also includes a new column for (Client Version). Use this column
to quickly view the Configuration Manager client version in each boot image.

After you update the Windows ADK on the site server, the console won't immediately
show the new version. If you use one these actions to update a boot image, the site uses
the latest ADK version. To get the console to display the current ADK version, restart the
WMI service. For more information, see Starting and Stopping the WMI Service.

Customize a boot image

When a boot image is based on the WinPE version from the supported version of the
Windows ADK, you can customize or modify a boot image from the console. When you
upgrade a site and install a new version of the Windows ADK, custom boot images
aren't updated with the new version of Windows ADK. When that happens, you can't
customize the boot images in the Configuration Manager console. However, they
continue to work as they did before the upgrade.

When a boot image is based on a different version of the Windows ADK installed on a
site, you must customize the boot images. Use another method to customize these boot
images, such as using the Deployment Image Servicing and Management (DISM)
command-line tool. DISM is part of the Windows ADK. For more information, see
Customize boot images.

Add a boot image

During site installation, Configuration Manager automatically adds boot images that are
based on a WinPE version from the supported version of the Windows ADK. Depending
on the version of Configuration Manager, you can add boot images based on a different
WinPE version from the supported version the Windows ADK. An error occurs when you
try to add a boot image that contains an unsupported version of WinPE.

Configuration Manager also supports Windows PE versions for boot images that aren't
customizable from the Configuration Manager console. For example, you install the
Windows ADK and WinPE add-on for Windows 11 on the site server. For x64 boot
images based on WinPE version 11 from the WinPE add-on for Windows 11, you can
customize them from the Configuration Manager console. However, while x86 boot
images based on WinPE version 10 are supported, you need to manually customize
them from a different computer. Use the version of DISM that's installed with the
Windows ADK for Windows 10. Then, you can add the boot image to the Configuration
Manager console.

For more information, see the following articles:

Customize boot images

Support for the Windows ADK
DISM supported platforms

Use the following process to add a boot image in Configuration Manager:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Boot Images node.

2. On the Home tab of the ribbon, in the Create group, select Add Boot Image. This
action starts the Add Boot Image Wizard.

3. On the Data Source page, specify the following options:

In the Path box, specify the path to the boot image WIM file. The specified
path must be a valid network path in the UNC format. For example:
\\ServerName\ShareName\BootImageName.wim

Select the boot image from the Boot Image drop-down list. If the WIM file
contains multiple boot images, select the appropriate image.

4. On the General page, specify the following options:

In the Name box, specify a unique name for the boot image.

In the Version box, specify a version number for the boot image.

In the Comment box, specify a brief description of how you use the boot
image.

5. Complete the wizard.

The boot image is now listed in the Boot Image node. Before using the boot image to
deploy an OS, distribute the boot image to distribution points.

 Tip

In the Boot Image node of the console, the Size (KB) column displays the
decompressed size for each boot image. When the site sends a boot image over
the network, it sends a compressed copy. This copy is typically smaller than the size
listed in the Size (KB) column.

Distribute boot images

Boot images are distributed to distribution points in the same way as you distribute
other content. Before you deploy an OS or create media, distribute the boot image to at
least one distribution point.

For more information on how to distribute a boot image, see Distribute content.

To use PXE to deploy an OS, consider the following points before you distribute the
boot image:

Configure the distribution point to accept PXE requests.

Distribute both an x86 and an x64 PXE-enabled boot image to at least one PXE-
enabled distribution point.
Configuration Manager distributes the boot images to the RemoteInstall folder on
the PXE-enabled distribution point.

For more information about using PXE to deploy operating systems, see Use PXE to
deploy Windows over the network.

Modify a boot image

Add or remove device drivers to the image, or edit the properties of the boot image.
The drivers that you add or remove can include network or storage drivers. Consider the
following factors when you modify boot images:

Before adding drivers to the boot image, import and enable them in the device
driver catalog.

When you modify a boot image, the boot image doesn't change any of the
associated packages that the boot image references.
 After you make changes to a boot image, update the boot image on the
distribution points that already have it. This process makes the most current
version of the boot image available to clients. For more information, see Manage
content you've distributed.

Modify the properties of a boot image

1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Boot Images node.

2. Select the boot image that you want to modify.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Set any of the following settings to change the behavior of the boot image:

Images

On the Images tab, if you change the properties of the boot image by using an external
tool, select Reload.

Drivers
On the Drivers tab, add the Windows device drivers that WinPE requires to boot.
Consider the following points when you add device drivers:

Make sure that the drivers that you add to the boot image match the architecture
of the boot image.

To only display drivers for the architecture of the boot image, select Hide drivers
that do not match the architecture of the boot image. The architecture of the
driver is based on the architecture reported in the INF from the manufacturer.

WinPE already comes with many drivers built-in. Add only network and storage
drivers that aren't included in WinPE.

Add only network and storage drivers to the boot image, unless there are
requirements for other drivers in WinPE.

To only display storage and network drivers, select Hide drivers that are not in a
storage or network class (for boot images). This option also hides other drivers
that aren't typically needed for boot images, such as video or modem drivers.
 To hide drivers that don't have a valid digital signature, select Hide drivers that are
not digitally signed.

７ Note

Import device drivers into the drivers catalog before you add them to a boot
image. For information about how to import device drivers, see Manage drivers.

Customization
On the Customization tab, select any of the following settings:

Select the Enable Prestart Commands option to specify a command to run before
the task sequence runs. When you enable this option, also specify the command
line to run and any support files required by the command.

２ Warning

Add cmd /c to the start of the command line. If you don't specify cmd /c , the
command won't close after it runs. The deployment continues to wait for the
command to finish and won't start any other configured commands or
actions.

 Tip

During task sequence media creation, the wizard writes the package ID and
prestart command line to the CreateTSMedia.log file. This information
includes the value for any task sequence variables. This log is on the computer
that runs the Configuration Manager console. Review this log file to verify the
values for the task sequence variables.

Set the Windows PE Background settings to specify whether you want to use the
default WinPE background or a custom background.

Configure the Windows PE scratch space (MB), which is temporary storage (RAM
drive) used by WinPE. For example, when an application is run within WinPE and
needs to write temporary files, WinPE redirects the files to the scratch space in
memory to simulate the presence of a hard disk. By default, this amount is 512 MB
for devices with more than 1 GB of RAM, otherwise the default is 32 MB.
 Select Enable command support (testing only) to open a command prompt by
using the F8 key while the boot image is deployed. This option is useful for
troubleshooting while you're testing your deployment. Using this setting in a
production deployment isn't advised because of security concerns.

Set default keyboard layout in WinPE: Configure the default keyboard layout for a
boot image. If you select a language other than en-us, Configuration Manager still
includes en-us in the available input locales. On the device, the initial keyboard
layout is the selected locale, but the user can switch the device to en-us if needed.

 Tip

Use the Set-CMBootImage PowerShell cmdlet to configure these settings from a

script.

Optional Components
On the Optional Components tab, specify the components that are added to Windows
PE for use with Configuration Manager. For more information about available optional
components, see WinPE: Add packages (Optional Components Reference).

The following components are required by Configuration Manager and always added to
boot images:

Scripting (WinPE-Scripting)
Startup (WinPE-SecureStartup)
Network (WinPE-WDS-Tools)
Scripting (WinPE-WMI)

The Components list shows additional items that are added to this boot image. To add
more components, select the gold asterisk. To remove a component, select it from the
list, and then select the red X.

The following components are commonly used by customers:

Microsoft .NET (WinPE-NetFX): This component is a prerequisite for PowerShell. It's

one of the larger optional components.
Windows PowerShell (WinPE-PowerShell): This component requires .NET, and adds
limited PowerShell support. If you run custom PowerShell scripts during the WinPE
phase of your task sequence, add this component. There are other components
that may be required for other PowerShell cmdlets.
 HTML (WinPE-HTA): If you run custom HTML applications during the WinPE phase
of your task sequence, add this component.

For more information about adding languages, see Configure multiple languages.

Data Source
On the Data Source tab, update any of the following settings:

To change the source file of the boot image, set Image path and Image index.

To create a schedule for when the site updates the boot image, select Update
distribution points on a schedule.

If you don't want the content of this package to age out of the client cache to
make room for other content, select Persist content in client cache.

To specify that the site only distributes changed files when it updates the boot
image package on the distribution point, select Enable binary differential
replication (BDR). This setting minimizes the network traffic between sites. BDR is
especially useful when the boot image package is large and the changes are
relatively small.

If you use the boot image in a PXE-enabled deployment, select Deploy this boot
image from the PXE-enabled distribution point. For more information, see Use
PXE to deploy Windows over the network.

Data Access
On the Data Access tab, you can configure package share settings. If needed in your
environment, set the option to Copy the content in this package to a package share on
distribution points. You then have the additional option to Use a custom name for the
package share and specify the custom Share name. Additional disk space is required on
distribution points when you enable this option. It applies to all distribution points that
receive this boot image.

Distribution Settings
On the Distribution Settings tab, select any of the following settings:

In the Distribution priority list, specify the priority level. Configuration Manager
uses this priority list when the site distributes multiple packages to the same
distribution point.
 If you want to enable on-demand content distribution to preferred distribution
points, select Enable for on-demand distribution. When you enable this setting, if
a client requests the content for the package and the content isn't available on any
distribution points, then the management point distributes the content. For more
information, see On-demand content distribution.

To specify how you want the site to distribute the boot image to distribution points
that are enabled for prestaged content, set the Prestaged distribution point
settings. For more information about prestaged content, see Prestage content.

Content Locations
On the Content Locations tab, select the distribution point or distribution point group,
and use the following actions:

Validate: Check the integrity of the boot image package on the selected
distribution point or distribution point group.

Redistribute: Distribute the boot image to the selected distribution point or

distribution point group again.

Remove: Delete the boot image from the selected distribution point or distribution
point group.

Security
On the Security tab, view the administrative users that have permissions to this object.

Configure a boot image for PXE

Before you can use a boot image for a PXE-based deployment, configure the boot
image to deploy from a PXE-enabled distribution point.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Boot Images node.

2. Select the boot image that you want to modify.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. On the Data Source tab, select Deploy this boot image from the PXE-enabled
distribution point. For more information, see Use PXE to deploy Windows over the
network.
Configure multiple languages

 Tip

You can configure the default keyboard layout on the properties of a boot image.
For more information, see Customization.

Boot images are language neutral. This functionality allows you to use one boot image
to display the task sequence text in multiple languages while in WinPE. Include the
appropriate language support from the boot image Optional Components tab. Then set
the appropriate task sequence variable to indicate which language to display. The
language of the deployed OS is independent from the language in WinPE. The language
that WinPE displays to the user is determined as follows:

When a user runs the task sequence from an existing OS, Configuration Manager
automatically uses the language configured for the user. When the task sequence
automatically runs as the result of a mandatory deployment deadline,
Configuration Manager uses the language of the OS.

For OS deployments that use PXE or media, set the language ID value in the
SMSTSLanguageFolder variable as part of a prestart command. When the
computer boots to WinPE, messages are displayed in the language that you
specified in the variable. If there's an error accessing the language resource file in
the specified folder, or you don't set the variable, WinPE displays messages in the
default language.

７ Note

When you protect media with a password, the text that prompts the user for
the password is always displayed in the WinPE language.

Use the following procedure to set the WinPE language for PXE or media-initiated OS
deployments.

Set the Windows PE language for a PXE or media-

initiated OS deployment
1. Before you update the boot image, verify that the appropriate task sequence
resource file (tsres.dll) is in the corresponding language folder on the site server.
 For example, the English resource file is in the following location:
<ConfigMgrInstallationFolder>\OSD\bin\x64\00000409\tsres.dll

2. As part of your prestart command, set the SMSTSLanguageFolder environment

variable to the appropriate language ID. The language ID must be specified by
using decimal and not hexadecimal format. For example, to set the language ID to
English, specify the decimal value 1033, not the hexadecimal value 00000409 of the
folder name.

Next steps
Customize boot images

Manage OS images
Customize boot images with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Each version of Configuration Manager supports a specific version of the Windows

Assessment and Deployment Kit (Windows ADK). You can service, or customize, boot
images from the Configuration Manager console when they're based on a Windows PE
(WinPE) version from the WinPE add-on of a supported version of the Windows ADK.
For more information on how to customize boot images in the Configuration Manager
console, see Manage boot images.

For boot images with other versions of WinPE, customize them by using another
method. For example, use the Deployment Image Servicing and Management (DISM)
command-line tool. Then import the boot images into Configuration Manager to use
with OS deployments.

For example, you install the Windows ADK and WinPE add-on for Windows 11 on the
site server. For x64 boot images based on WinPE version 11 from the WinPE add-on for
Windows 11, you can customize them from the Configuration Manager console.
However, while x86 boot images based on WinPE version 10 are supported, you need to
manually customize them from a different computer. Use the version of DISM that's
installed with the Windows ADK for Windows 10. Then, you can add the boot image to
the Configuration Manager console.

） Important

The 32-bit versions of Windows PE (WinPE) in the WinPE add-ons for Windows 11
and Windows Server 2022 aren't supported. The last supported version of 32-bit
WinPE is available in the WinPE add-on for Windows 10, version 2004. For more
information, see Download and install the Windows ADK.

The following steps summarize the process to customize an x86 boot image that uses
WinPE version 10:

Install the Windows ADK and WinPE add-on for Windows 10, version 2004
Use the DISM command-line tool to:
Mount the x86 boot image
Add optional components
 Add drivers
Commit the changes to the boot image
Import the customized boot image to Configuration Manager

Required components
The procedures in this article demonstrate how to add the WinPE optional components
that Configuration Manager requires:

WinPE-WMI: Adds Windows Management Instrumentation (WMI) support.

WinPE-Scripting: Adds Windows Script Host (WSH) support.

WinPE-WDS-Tools: Installs Windows Deployment Services (WDS) tools.

There are other WinPE packages available to add. For more information, see WinPE
optional components reference.

Customize the image with DISM

1. On a computer that doesn't have a version of the Windows ADK and doesn't have
any Configuration Manager components installed, install the Windows ADK
( adksetup.exe ) and WinPE add-on ( adkwinpesetup.exe ). For more information, see
Other ADK downloads.

 Tip

You only need to install the Deployment Tools component for this process.

2. Copy the boot image ( winpe.wim ) from the WinPE installation folder, which by
default is C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment
Kit\Windows Preinstallation Environment\x86\en-us . Create a working directory
on the computer where you'll customize the boot image, and copy the default
image file to it. This procedure uses C:\WinPE as the folder name. For example:

PowerShell

$workingDir = New-Item -Path "C:\" -Name "WinPE" -ItemType "directory"

$peDir = "C:\Program Files (x86)\Windows Kits\10\Assessment and

Deployment Kit\Windows Preinstallation Environment\x86\en-us"

Copy-Item "$($peDir)\winpe.wim" -Destination $workingDir

3. Create a new folder to use as the mount point for the boot image. This procedure
uses C:\WinPEMount as the folder name.

PowerShell

New-Item -Path "C:\" -Name "WinPEMount" -ItemType "directory"

4. Use DISM to mount the boot image to a local Windows PE folder. For example,
type the following command line:

） Important

Make sure you're using the version of DISM from the installed Windows ADK.
Windows may default to the OS version, which may not technically support
the version of WinPE that you're servicing. For more information, see DISM
supported platforms.

PowerShell

Set-Location "C:\Program Files (x86)\Windows Kits\10\Assessment and

Deployment Kit\Deployment Tools\amd64\DISM\"

.\dism.exe /mount-wim /wimfile:C:\WinPE\winpe.wim /index:1

/mountdir:C:\WinPEMount

 Tip

For more information on DISM commands, see the DISM Reference.

5. After you mount the boot image, use DISM to add optional components to the
boot image. By default, the optional components are located in C:\Program Files
(x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation
Environment\x86\WinPE_OCs .

７ Note

This procedure uses the default location and en-us locale for the optional
components. The path you use might be different depending on the version
and installation options you choose for the Windows ADK, and the locale of
the boot image.
 Type the following commands to install the optional components that
Configuration Manager requires:

PowerShell

$ocpath = "C:\Program Files (x86)\Windows Kits\10\Assessment and

Deployment Kit\Windows Preinstallation Environment\x86\WinPE_OCs"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\winpe-wmi.cab"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\winpe-scripting.cab"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\winpe-wds-tools.cab"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\en-us\winpe-wmi_en-us.cab"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\en-us\winpe-scripting_en-us.cab"

.\dism.exe /image:C:\WinPEMount /add-package

/packagepath:"$($ocpath)\en-us\winpe-wds-tools_en-us.cab"

 Tip

For more information about the different packages that you can add to the
boot image, see WinPE optional components reference.

6. If needed, use DISM to add specific drivers to the boot image. For example, type
the following command to add a driver to the boot image:

PowerShell

.\dism.exe /image:C:\WinPEMount /add-driver

/driver:C:\Drivers\driver.inf

7. When you're done making changes, type the following command to unmount the
boot image file and commit the changes:

PowerShell

.\dism.exe /unmount-wim /mountdir:C:\WinPEMount /commit

 ） Important

Whether or not you will use this customized image, make sure to unmount it
when you're done. To not save your changes but still unmount the image, use
the /discard parameter instead of the /commit option.

8. Copy the customized boot image to your site's centralized package source
location.

Import the boot image

Add the updated boot image to Configuration Manager to make it available to use in
your task sequences. Use the following steps to import the updated boot image:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and select the Boot Images node.

2. On the Home tab of the ribbon, in the Create group, select Add Boot Image. This
action starts the Add Boot Image Wizard.

3. On the Data Source page, specify the following options:

Specify the Path to the updated boot image file. The specified path must be a
valid network path in the UNC format. For example:
\\server\share\WinPE10x86\winpe.wim

Choose the specific boot image from the Boot Image list. If the WIM file
contains multiple images, each image is listed.

4. On the General page, specify the following options:

Name: Specify a unique name for the boot image.

Version: Specify a version number for the boot image. This value doesn't
have to be the OS version, it's a string that you maintain for the boot image
version.

Comment: Specify an optional description of how the boot image is used to

better identify it in the console.

5. Complete the wizard.

Enable command shell for testing
You can enable a command shell in the boot image to open a command prompt by
using the F8 key while the boot image is deployed. This option is useful for
troubleshooting while you're testing your deployment. Using this setting in a production
deployment isn't advised because of security concerns.

Use the following steps to enable the command shell on a custom boot image:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Boot Images node.

2. Find the new boot image in the list and identify the package ID for the image. You
can find the package ID in the Image ID column for the boot image.

3. From a command prompt, type wbemtest to open the Windows Management

Instrumentation Tester.

4. For the Namespace, type \\<smsprovider>\root\sms\site_<sitecode> , and then

select Connect.

5. Select Open Instance. Type sms_bootimagepackage.packageID="<packageID>" , and

then select OK.

6. Select Refresh Object, and then in the Properties pane select EnableLabShell.

7. Select Edit Property, change the value to TRUE, and select Save Property.

8. Select Save Object, and then exit the Windows Management Instrumentation
Tester.

７ Note

When you boot to WinPE from a customized boot image that includes tools that
you added, you can open a command prompt from WinPE and type the file name
of the tool to run it. The location of these tools are automatically added to the path
variable.

Distribute content
Before you can use the boot image in a task sequence, distribute the boot image to
distribution points. Use the following steps to distribute the boot image:
 1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Boot Images node.

2. Select the new custom boot image.

3. On the Home tab of the ribbon, in the Deployment group, select Update
Distribution Points.

Next steps
Manage boot images

Support for the Windows ADK in Configuration Manager

Manage OS images with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

OS images in Configuration Manager are stored in the Windows image (WIM) file
format. These images are a compressed collection of reference files and folders use to
install and configure a new OS on a computer. Many OS deployment scenarios require
an OS image.

OS image types
You can use a default OS image, or build the OS image from a reference computer that
you configure. When you build the reference computer, you add OS files, drivers,
support files, software updates, tools, and applications to the OS. Then you capture it to
create the image file.

Default image
The Windows installation files include the default OS image. This image is a basic OS
image that contains a standard set of drivers. When you use the default OS image, use
task sequence steps to install apps and make other configurations after the OS installs
on a device. Locate the default OS image in the Windows source files:
\Sources\install.wim .

Default image advantages

The image size is smaller than a captured image.

Installing apps and configurations with task sequence steps is more dynamic. For
example, change the configurations and apps that install in the task sequence,
without having to reimage the device.

Default image disadvantages

OS installation can take more time. The application installation and other
configurations occur after the OS installation completes.
Captured image from a reference computer
To create a customized OS image, build a reference computer with the desired OS. Then
install applications and configure settings. Capture the OS image from the reference
computer to create the WIM file. Manually build the reference computer, or use a task
sequence to automate some or all of the build steps. For more information, see
Customize OS images.

Captured image advantages

The installation can be faster than using the default image. For example,
applications can be preinstalled with the captured OS image. Then you don't need
to install those same applications later by using task sequence steps.

Captured image disadvantages

The image size is potentially larger than the default image.

Need to create a new image when you require updates for applications and tools.

Add an OS image
Before you can use an OS image, add it to your Configuration Manager site.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Operating System Images node.

2. On the Home tab of the ribbon, in the Create group, select Add Operating System
Image. This action starts the Add Operating System Image Wizard.

3. On the Data Source page, specify the following information:

Network Path to the OS image file. For example,

\\server\share\path\image.wim .

Extract a specific image index from the specified WIM file and then select
an image index from the list. Starting in version 1902, this option
automatically imports a single index rather than all image indexes in the file.
Using this option results in a smaller image file, and faster offline servicing. It
also supports the process to Optimize image servicing, for a smaller image
file after applying software updates.
 ７ Note

Configuration Manager doesn't modify the source image file. It creates a

new image file in the same source directory.

This extraction process can fail for extremely large image files, for
example over 60 GB. The DISM error is Not enough storage is available
to process this command. The command line that Configuration

Manager uses is in the smsprov.log and dism.log. Manually run the same
command and then import the image.

Starting in version 1906, if you want to pre-cache content on a client, specify

the Architecture and Language of the image. For more information, see
Configure pre-cache content.

4. On the General page, specify the following information. This information is useful
for identification purposes when you have more than one OS image.

Name: A unique name for the image. By default, the name comes from the
WIM file name.

Version: An optional version identifier. This property doesn't need to be the

OS version of the image. It's often your organization's version for the
package.

Comment: An optional brief description.

5. Complete the wizard.

For the PowerShell cmdlet equivalent of this console wizard, see New-
CMOperatingSystemImage.

Next, distribute the OS image to distribution points.

Distribute content to distribution points

Distribute OS images to distribution points the same as other content. Before you
deploy the task sequence, distribute the OS image to at least one distribution point. For
more information, see Distribute content.

Apply software updates to an image

 ７ Note

This section applies to both OS images and OS upgrade packages. It uses the
general term "image" to refer to the Windows image file (WIM). Both of these
objects have a WIM, which contains Windows installation files. Software updates
are applicable to these files in both objects. The behavior of this process is the
same between both objects.

Each month there are new software updates applicable to the image. Before you can
apply software updates to it, you need the following prerequisites:

A software updates infrastructure

Successfully synchronized software updates
Downloaded the software updates to the content library on the site server

For more information, see Deploy software updates.

Apply applicable software updates to an image on a specified schedule. This process is

sometimes called offline servicing. On this schedule, Configuration Manager applies the
selected software updates to the image. It can then also redistribute the updated image
to distribution points.

） Important

While you can select any software update that's applicable to the image based on
version, DISM can only apply certain types of updates to the image. The
OfflineServicingMgr.log file shows the following entry: Not applying this update
binary, it is not supported .

The site database stores information about the image, including the software updates
that were applied at the time of the import. Software updates that you apply to the
image since it was initially added are also stored in the site database. When you start the
wizard to apply software updates, it retrieves the list of applicable software updates that
the site hasn't yet applied to the image. Configuration Manager copies the software
updates that you select from the content library on the site server. It then applies the
software updates to the image.

Servicing process
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select either Operating System Images or
 Operating System Upgrade Packages.

2. Select the object to which to apply software updates.

3. On the ribbon, select Schedule Updates to start the wizard.

4. On the Choose Updates page, select the software updates to apply to the image. It
may take some time for the list of updates to appear in the wizard. Use the Filter
to search for strings in the metadata. Use the System architecture drop-down list
to filter on X86, X64, or All. You can select one, many, or all updates in the list.
When you're finished selecting updates, select Next.

5. On the Set Schedule page, specify the following settings, and then select Next.

a. Schedule: Specify the schedule for when the site applies the software updates
to the image.

b. Continue on error: Select this option to continue to apply software updates to

the image even when there's an error.

c. Update distribution points with the image: Select this option to update the
image on distribution points after the site applies the software updates.

6. Complete the Schedule Updates Wizard.

７ Note

To minimize the payload size, the servicing of OS upgrade packages and OS images
removes the older version.

Servicing operations
In the Configuration Manager console, in either the OS Images or OS Upgrade
Packages node, add the following columns to the view:

Scheduled Updates Date: This property shows the next schedule that you've
defined.
Scheduled Updates Status: This property shows the status. For example,
Successful or In Process.

Select a specific image object, and then switch to the Update Status tab in the details
pane. This tab shows the list of updates in the image.
Select a specific image object, and select Properties in the ribbon. The Installed
Updates tab shows the list of updates in the image. The Servicing tab is a read-only
view of the current servicing schedule and the updates that you've scheduled to apply.

When the status is In Process, you can select Cancel Scheduled Updates on the ribbon.
This action cancels the active servicing process.

To troubleshoot this process, view the OfflineServicingMgr.log and dism.log files on the
site server. For more information, see Log files.

Specify the drive for offline OS image servicing

You can specify the drive that Configuration Manager uses during offline servicing of OS
images. This process can consume a large amount of disk space with temporary files.
This option gives you flexibility to select the drive to use.

1. In the Configuration Manager console, go to the Administration workspace,

expand Site Configuration, and select the Sites node. In the ribbon, select
Configure Site Components and then choose Operating System Deployment.

2. On the Offline Servicing tab, specify the option for A local drive to be used by
offline servicing of images.

By default, this setting is Automatic. With this value, Configuration Manager selects the
drive on which it's installed.

If you select a drive that doesn't exist on the site server, Configuration Manager behaves
the same as if you select Automatic.

During offline servicing, Configuration Manager stores temporary files in the folder,
<drive>:\ConfigMgr_OfflineImageServicing . It also mounts the OS image in this folder.

Optimized image servicing

When you apply software updates to an OS image, you can optimize the output by
removing any superseded updates. The optimization to offline servicing only applies to
images with a single index.

When you schedule the site to apply software updates to an OS image, it uses the
Windows Deployment Image Servicing and Management (DISM) command-line tool.
During the servicing process, this change introduces the following two additional steps:
 It runs DISM against the mounted offline image with the parameters /Cleanup-
Image /StartComponentCleanup /ResetBase . If this command fails, the current
servicing process fails. It doesn't commit any changes to the image.

After Configuration Manager commits changes to the image and unmounts it from
the file system, it exports the image to another file. This step uses the DISM
parameter /Export-Image . It removes unneeded files from the image, which
reduces the size.

Microsoft recommends that you regularly apply updates to your offline images. You
don't have to use this option every time you service an image. When you do this process
each month, this option provides you the greatest advantage by using it over time. For
more information, see Recommendations for Install Software Updates step.

While this option helps reduce the overall size of the serviced image, it does take longer
to complete the process. Use the wizard to schedule servicing during convenient times.
It also requires additional storage on the site server. You can customize the site to use
an alternate location. For more information, see Specify the drive for offline OS image
servicing.

Process to optimize image servicing

1. Start the servicing process.

2. On the Set Schedule page, select the option to Remove superseded updates after
the image is updated. This option isn't automatically enabled. If the image has
more than one index, you can't use this option.

3. To schedule image servicing, complete the wizard.

Validate and monitor the process using the OfflineServicing.log.

Prepare the OS image for multicast

deployments
Use multicast deployments to allow more than one computer to simultaneously
download an OS image. The image is multicast to clients by the distribution point, rather
than each client downloading a copy of the image from the distribution point over a
separate connection. When you choose the OS deployment method to Use multicast to
deploy Windows over the network, configure the OS image to support multicast. Then
distribute the image to a multicast-enabled distribution point.
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Operating System Images node.

2. Select the OS image that you want to distribute to a multicast-enabled distribution

point.

3. On the Home tab of the ribbon, in the Properties group, select Properties.

4. Switch to the Distribution Settings tab, and configure the following options:

Allow this package to be transferred via multicast (WinPE only): Select this
option for Configuration Manager to simultaneously deploy OS images using
multicast.

Encrypt multicast packages: Specify whether the site encrypts the image
before it's sent to the distribution point. If the image contains sensitive
information, use this option. If the image isn't encrypted, its contents are
visible in clear text on the network. Then an unauthorized user could
intercept and view the image contents.

Transfer this package only via multicast: Specify whether you want the
distribution point to deploy the image only during a multicast session.

If you select Transfer this package only via multicast, you must also specify
the task sequence deployment option to Download content locally when
needed by the running task sequence. For more information, see Deploy a
task sequence.

5. Select OK to save the settings and close the image properties.

Customize operating system images
with Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Operating system images in Configuration Manager are WIM files and represent a
compressed collection of reference files and folders that are required to successfully
install and configure an operating system on a computer. A custom operating system
image is built and captured from a reference computer that you configure with all the
required operating system files, support files, software updates, tools, and other
software apps. The extent to which you manually configure the reference computer is up
to you. You can completely automate the configuration of the reference computer by
using a build and capture task sequence, you can manually configure certain aspects of
the reference computer and then automate the rest by using task sequences, or you can
manually configure the reference computer without using task sequences. Use the
following sections to customize an operating system.

Prepare for the reference computer

There are several things to think about before you use capture an operating system
image from a reference computer.

Decide between an automated or manual configuration

The following outlines advantages and disadvantage for an automated and manual
configuration of the reference computer.

Automated configuration
Advantages

The configuration can be completely unattended, which eliminates the

requirement for an administrator or user to be present.

You can reuse the task sequence to repeat the configuration of additional
reference computers with a high level of confidence.

You can modify the task sequence to accommodate differences in reference

computers without having to recreate the entire task sequence.
 Disadvantages

The initial action to build a task sequence can take a long time to create and test.

If the reference computer requirements change significantly, it can take a long

time to rebuild and retest the task sequence.

Manual configuration

Advantages

You do not have to create a task sequence or take the time to test and
troubleshoot the task sequence.

You can install directly from CDs without putting all the software packages
(including Windows itself) into a Configuration Manager package.

Disadvantages

The accuracy of the reference computer configuration depends on the

administrator or user who configures the computer.

You must still verify and test that the reference computer is configured correctly.

You cannot reuse the configuration method.

Requires a person to be actively involved throughout the process.

Considerations for the reference computer

The following lists the basic items to consider when you configure a reference computer.

Operating system to deploy

The reference computer must be installed with the operating system that you
intend to deploy to your destination computers. For more information about the
operating systems that you can deploy, see Infrastructure requirements for
operating system deployment.

Appropriate service pack

The reference computer must be installed with the operating system that you
intend to deploy to your destination computers.

Appropriate software updates

Install all software applications that you want included in the operating system
image that you capture from the reference computer. You can also install software
applications when you deploy the captured operating system image to your
destination computers.

Workgroup membership

The reference computer must be configured as a member of a workgroup.

Sysprep

The System Preparation (Sysprep) tool is a technology that you can use with other
deployment tools to install Windows operating systems onto new hardware.
Sysprep prepares a computer for disk imaging or delivery to a customer by
configuring the computer to create a new computer security identifier (SID) when
the computer is restarted. In addition, Sysprep cleans up user and computer-
specific settings and data that must not be copied to a destination computer.

You can manually Sysprep the reference computer by running the following
command:

Sysprep /quiet /generalize /reboot

The /generalize option instructs Sysprep to remove system-specific data from the
Windows installation. System-specific information includes event logs, unique
security IDs (SIDs), and other unique information. After the unique system
information is removed, the computer restarts.

You can automate Sysprep by using the Prepare Windows for Capture task
sequence step or capture media.

） Important

The Prepare Windows for Capture task sequence step attempts to reset the
local administrator password on the reference computer to a blank value
before Sysprep runs. If the Local Security policy Password must meet
complexity requirements is enabled, this task sequence step fails to reset the
administrator password. In this scenario, disable this policy before you run the
task sequence.

For more information about Sysprep, see Sysprep (System Preparation) overview.

Appropriate tools and scripts required to mitigate installation scenarios

 Appropriate tools and scripts required to mitigate installation scenarios

Appropriate desktop customization, such as wall paper, branding, and default

user profile

You can configure the reference computer with the desktop customization
properties that you want to include when you capture the operating system image
from the reference computer. Desktop properties include wallpaper, organizational
branding, and a standard default user profile.

Manually build a reference computer

Use the following procedure to manually build a reference computer.

７ Note

When you manually build the reference computer, you can capture the operating
system image by using capture media. For more information, see Create capture
media.

To manually build the reference computer

1. Identify the computer to use as the reference computer.

2. Configure the reference computer with the appropriate operating system and any
other software that is required to create the operating system image that you want
to deploy.

２ Warning

At a minimum, install the appropriate operating system and service pack,

support drivers, and required software updates.

3. Configure the reference computer to be a member of a workgroup.

4. Reset the local Administrator password on the reference computer so that the
password value is blank.

5. Run Sysprep by using the command: sysprep /quiet /generalize /reboot. The
/generalize option instructs Sysprep to remove system-specific data from the
Windows installation. System-specific information includes event logs, unique
 security IDs (SIDs), and other unique information. After the unique system
information is removed, the computer restarts.

After the reference computer is ready, use a task sequence to capture the
operating system image from the reference computer. For detailed steps, see
Capture an operating system image from an existing reference computer.

Use a task sequence to build a reference

computer
You can automate the process to create a reference computer by using a task sequence
to deploy the operating system, drivers, applications, and so on. Use the following steps
to build the reference computer and then to capture the operating system image from
the reference computer.

Use a task sequence to build and capture the operating system image from the
reference computer. For detailed steps, see Use a task sequence to build and
capture a reference computer.
Manage OS upgrade packages with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

An OS upgrade package in Configuration Manager contains the Windows setup source

files to upgrade an existing OS on a computer. This article describes how to add,
distribute, and service an OS upgrade package.

７ Note

OS upgrade packages can also be used for new installations of Windows. However
it is dependent on drivers being compatible with this method. When performing
new installations of Windows from an OS upgrade package, drivers are installed
while still in Windows PE versus simply being injected while in Windows PE. Some
drivers are not compatible with being installed while in Windows PE. If drivers are
not compatible with being installed while in Windows PE, then use an OS image,
such as install.wim, instead.

Add an OS upgrade package

Before you can use an OS upgrade package, first add it to your Configuration Manager
site.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Operating System Upgrade
Packages node.

2. On the Home tab of the ribbon, in the Create group, select Add Operating System
Upgrade Package. This action starts the Add Operating System Upgrade Wizard.

3. On the Data Source page, specify the following settings:

The network Path to the installation source files of the OS upgrade package.
For example, \\server\share\path .

７ Note
 The installation source files contain setup.exe and other files and folders
to install the OS.

） Important

Limit access to these installation source files to prevent unwanted

tampering.

Starting in version 2107, review and agree to the license terms for this OS
media on behalf of your organization.

Extract a specific image index from install.wim file of selected upgrade

package and then select an image index from the list. This option
automatically imports a single index rather than all image indexes in the file.
Using this option results in a smaller image file, and faster offline servicing. It
also supports the process to Optimize image servicing, for a smaller image
file after applying software updates.

） Important

Configuration Manager overwrites the existing install.wim in the OS

upgrade package. It extracts the image index to a temporary location,
and then moves it into the original source directory. Before you import
an OS upgrade package and enable this option, make sure to backup
the original source files.

If you want to pre-cache content on a client, specify the Architecture and

Language of the image. For more information, see Configure pre-cache
content.

4. On the General page, specify the following information. This information is useful
for identification purposes when you have more than one OS upgrade package.

Name: A unique name for the OS upgrade package.

Version: An optional version identifier. This property doesn't need to be the

OS version of the upgrade package. It's often your organization's version for
the package.

Comment: An optional brief description.

5. Complete the wizard.

Next, distribute the OS upgrade package to distribution points.

Distribute content to a distribution point

Distribute OS upgrade packages to distribution points the same as other content. Before
you deploy the task sequence, distribute the OS upgrade package to at least one
distribution point. For more information, see Distribute content.

Apply software updates to an image

７ Note

This section applies to both OS images and OS upgrade packages. It uses the
general term "image" to refer to the Windows image file (WIM). Both of these
objects have a WIM, which contains Windows installation files. Software updates
are applicable to these files in both objects. The behavior of this process is the
same between both objects.

Each month there are new software updates applicable to the image. Before you can
apply software updates to it, you need the following prerequisites:

A software updates infrastructure

Successfully synchronized software updates
Downloaded the software updates to the content library on the site server

For more information, see Deploy software updates.

Apply applicable software updates to an image on a specified schedule. This process is

sometimes called offline servicing. On this schedule, Configuration Manager applies the
selected software updates to the image. It can then also redistribute the updated image
to distribution points.

） Important

While you can select any software update that's applicable to the image based on
version, DISM can only apply certain types of updates to the image. The
OfflineServicingMgr.log file shows the following entry: Not applying this update
binary, it is not supported .
The site database stores information about the image, including the software updates
that were applied at the time of the import. Software updates that you apply to the
image since it was initially added are also stored in the site database. When you start the
wizard to apply software updates, it retrieves the list of applicable software updates that
the site hasn't yet applied to the image. Configuration Manager copies the software
updates that you select from the content library on the site server. It then applies the
software updates to the image.

Servicing process
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select either Operating System Images or
Operating System Upgrade Packages.

2. Select the object to which to apply software updates.

3. On the ribbon, select Schedule Updates to start the wizard.

4. On the Choose Updates page, select the software updates to apply to the image. It
may take some time for the list of updates to appear in the wizard. Use the Filter
to search for strings in the metadata. Use the System architecture drop-down list
to filter on X86, X64, or All. You can select one, many, or all updates in the list.
When you're finished selecting updates, select Next.

5. On the Set Schedule page, specify the following settings, and then select Next.

a. Schedule: Specify the schedule for when the site applies the software updates
to the image.

b. Continue on error: Select this option to continue to apply software updates to

the image even when there's an error.

c. Update distribution points with the image: Select this option to update the
image on distribution points after the site applies the software updates.

6. Complete the Schedule Updates Wizard.

７ Note

To minimize the payload size, the servicing of OS upgrade packages and OS images
removes the older version.
Servicing operations
In the Configuration Manager console, in either the OS Images or OS Upgrade
Packages node, add the following columns to the view:

Scheduled Updates Date: This property shows the next schedule that you've
defined.
Scheduled Updates Status: This property shows the status. For example,
Successful or In Process.

Select a specific image object, and then switch to the Update Status tab in the details
pane. This tab shows the list of updates in the image.

Select a specific image object, and select Properties in the ribbon. The Installed
Updates tab shows the list of updates in the image. The Servicing tab is a read-only
view of the current servicing schedule and the updates that you've scheduled to apply.

When the status is In Process, you can select Cancel Scheduled Updates on the ribbon.
This action cancels the active servicing process.

To troubleshoot this process, view the OfflineServicingMgr.log and dism.log files on the
site server. For more information, see Log files.

Specify the drive for offline OS image servicing

You can specify the drive that Configuration Manager uses during offline servicing of OS
images. This process can consume a large amount of disk space with temporary files.
This option gives you flexibility to select the drive to use.

1. In the Configuration Manager console, go to the Administration workspace,

expand Site Configuration, and select the Sites node. In the ribbon, select
Configure Site Components and then choose Operating System Deployment.

2. On the Offline Servicing tab, specify the option for A local drive to be used by
offline servicing of images.

By default, this setting is Automatic. With this value, Configuration Manager selects the
drive on which it's installed.

If you select a drive that doesn't exist on the site server, Configuration Manager behaves
the same as if you select Automatic.

During offline servicing, Configuration Manager stores temporary files in the folder,
<drive>:\ConfigMgr_OfflineImageServicing . It also mounts the OS image in this folder.
Optimized image servicing
When you apply software updates to an OS image, you can optimize the output by
removing any superseded updates. The optimization to offline servicing only applies to
images with a single index.

When you schedule the site to apply software updates to an OS image, it uses the
Windows Deployment Image Servicing and Management (DISM) command-line tool.
During the servicing process, this change introduces the following two additional steps:

It runs DISM against the mounted offline image with the parameters /Cleanup-
Image /StartComponentCleanup /ResetBase . If this command fails, the current

servicing process fails. It doesn't commit any changes to the image.

After Configuration Manager commits changes to the image and unmounts it from
the file system, it exports the image to another file. This step uses the DISM
parameter /Export-Image . It removes unneeded files from the image, which
reduces the size.

Microsoft recommends that you regularly apply updates to your offline images. You
don't have to use this option every time you service an image. When you do this process
each month, this option provides you the greatest advantage by using it over time. For
more information, see Recommendations for Install Software Updates step.

While this option helps reduce the overall size of the serviced image, it does take longer
to complete the process. Use the wizard to schedule servicing during convenient times.
It also requires additional storage on the site server. You can customize the site to use
an alternate location. For more information, see Specify the drive for offline OS image
servicing.

Process to optimize image servicing

1. Start the servicing process.

2. On the Set Schedule page, select the option to Remove superseded updates after
the image is updated. This option isn't automatically enabled. If the image has
more than one index, you can't use this option.

3. To schedule image servicing, complete the wizard.

Validate and monitor the process using the OfflineServicing.log.

Next steps
Create a task sequence to upgrade an OS
Manage drivers in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager provides a driver catalog that you can use to manage the
Windows device drivers in your Configuration Manager environment. Use the driver
catalog to import device drivers into Configuration Manager, to group them in
packages, and to distribute those packages to distribution points. Device drivers can be
used when you install the full OS on the destination computer and when you use
Windows PE in a boot image. Windows device drivers consist of a setup information
(INF) file and any additional files that are required to support the device. When you
deploy an OS, Configuration Manager obtains the hardware and platform information
for the device from its INF file.

Driver categories
When you import device drivers, you can assign the device drivers to a category. Device
driver categories help group similarly used device drivers together in the driver catalog.
For example, set all network adapter device drivers to a specific category. Then, when
you create a task sequence that includes the Auto Apply Drivers step, specify a category
of device drivers. Configuration Manager then scans the hardware and selects the
applicable drivers from that category to stage on the system for Windows Setup to use.

Driver packages
Group similar device drivers in packages to help streamline OS deployments. For
example, create a driver package for each computer manufacturer on your network. You
can create a driver package when importing drivers into the driver catalog directly in the
Driver Packages node. After you create a driver package, distribute it to distribution
points. Then Configuration Manager client computers can install the drivers as required.

Consider the following points:

When you create a driver package, the source location of the package must point
to an empty network share that's not used by another driver package. The SMS
Provider must have Full control permissions to that location.
 When you add device drivers to a driver package, Configuration Manager copies it
to the package source location. You can add to a driver package only device
drivers that you've imported and that are enabled in the driver catalog.

You can copy a subset of the device drivers from an existing driver package. First,
create a new driver package. Then add the subset of device drivers to the new
package, and then distribute the new package to a distribution point.

When you use task sequences to install drivers, create driver packages that contain
less than 500 device drivers.

Create a driver package

） Important

To create a driver package, you must have an empty network folder that's not used
by another driver package. In most cases, create a new folder before you start this
procedure.

1. In the Configuration Manager console, go to the Software Library workspace.

Expand Operating Systems, and then select the Driver Packages node.

2. On the Home tab of the ribbon, in the Create group, select Create Driver Package.

3. Specify a descriptive Name for the driver package.

4. Enter an optional Comment for the driver package. Use this description to provide
information about the contents or the purpose of the driver package.

5. In the Path box, specify an empty source folder for the driver package. Each driver
package must use a unique folder. This path is required as a network location.

） Important

The site server account must have Full control permissions to the specified
source folder.

The new driver package doesn't contain any drivers. The next step adds drivers to the
package.

If the Driver Packages node contains several packages, you can add folders to the node
to separate the packages into logical groups.
Additional actions for driver packages
You can do additional actions to manage driver packages when you select one or more
driver packages from the Driver Packages node.

Create prestage content file

Creates files that you can use to manually import content and its associated metadata.
Use prestaged content when you have low network bandwidth between the site server
and the distribution points where the driver package is stored.

Delete (driver package)

Removes the driver package from the Driver Packages node.

Distribute content

Distributes the driver package to distribution points, distribution point groups, and
distribution point groups that are associated with collections.

Export (driver package)

Start the Export Driver Package Wizard to save associated drivers and content to a file.
Use this process to move driver packages between hierarchies.

Import driver package

Start the Import Driver Package Wizard to create a driver package from a previously
exported package.

 Tip

Starting in version 2010, when you import an object in the Configuration Manager
console, it now imports to the current folder. Previously, Configuration Manager
always put imported objects in the root node.

Manage access accounts

Adds, modifies, or removes access accounts for the driver package.

For more information about package access accounts, see Accounts used in
Configuration Manager.

Move (driver package)

Moves the driver package to another folder in the Driver Packages node.

Properties (driver package)

Opens the Properties window. Review and change the content and properties of the
driver. For example, change the name and description of the driver, enable or disable it,
and specify on which platforms it can run.

Driver packages have metadata fields for Manufacturer and Model. Use these fields to
tag driver packages with information to assist in general housekeeping, or to identify
old and duplicate drivers that you can delete. On the General tab, select an existing
value, or enter a string to create a new entry.

In the Driver Packages node, these fields display in the list as the Driver Manufacturer
and Driver Model columns. They can also be used as search criteria.

Starting in version 1906, use these attributes to pre-cache content on a client. For more
information, see Configure pre-cache content.

Show members

View all the drivers in the selected driver package.

Update distribution points

Updates the driver package on all the distribution points where the site stores it. This
action copies only the content that has changed after the last time it was distributed.

Device drivers
You can install drivers on destination computers without including them in the OS image
that is deployed. Configuration Manager provides a driver catalog that contains
references to all the drivers that you import into Configuration Manager. The driver
catalog is located in the Software Library workspace and consists of two nodes: Drivers
and Driver Packages. The Drivers node lists all the drivers that you've imported into the
driver catalog.
Import device drivers into the driver catalog
Before you can use a driver when you deploy an OS, import it into the driver catalog. To
better manage them, import only the drivers that you plan to install as part of your OS
deployments. Store multiple versions of drivers in the catalog to provide an easy way to
upgrade existing drivers when hardware device requirements change on your network.

As part of the import process for the device driver, Configuration Manager reads the
following properties about the driver:

Provider
Class
Version
Signature
Supported hardware
Supported platform information

By default, the driver is named after the first hardware device that it supports. You can
rename the device driver later. The supported platforms list is based on the information
in the INF file of the driver. Because the accuracy of this information can vary, manually
verify that the driver is supported after you import it into the catalog.

After you import device drivers into the catalog, add them to driver packages or boot
image packages.

） Important

You can't import device drivers directly into a subfolder of the Drivers node. To
import a device driver into a subfolder, first import the device driver into the
Drivers node, and then move the driver to the subfolder.

Process to import Windows device drivers into the driver catalog

1. In the Configuration Manager console, go to the Software Library workspace.
Expand Operating Systems, and select the Drivers node.

2. On the Home tab of the ribbon, in the Create group, select Import Driver to start
the Import New Driver Wizard.

3. On the Locate Driver page, specify the following options:

Import all drivers in the following network path (UNC): To import all the
device drivers in a specific folder, specify its network path. For example:
 \\servername\share\folder .

７ Note

If there are a lot of subfolders and a lot of driver INF files, this process
can take time.

Import a specific driver: To import a specific driver from a folder, specify the
network path to the Windows device driver INF file.

Specify the option for duplicate drivers: Select how you want Configuration
Manager to manage driver categories when you import a duplicate device
driver
Import the driver and append a new category to the existing categories
Import the driver and keep the existing categories
Import the driver and overwrite the existing categories
Do not import the driver

） Important

When you import drivers, the site server must have Read permission to the
folder, or the import fails.

4. On the Driver Details page, specify the following options:

Hide drivers that are not in a storage or network class (for boot images):
Use this setting to only display storage and network drivers. This option hides
other drivers that aren't typically needed for boot images, such as a video
driver or modem driver.

Hide drivers that are not digitally signed: Microsoft recommends only using
drivers that are digitally signed

In the list of drivers, select the drivers that you want to import into the driver
catalog.

Enable these drivers and allow computers to install them: Select this setting
to let computers install the device drivers. This option is enabled by default.

） Important
 If a device driver is causing a problem or you want to suspend the
installation of a device driver, disable it during import. You can also
disable drivers after you import them.

To assign the device drivers to an administrative category for filtering

purposes, such as "Desktops" or "Notebooks", select Categories. Then choose
an existing category, or create a new category. Use categories to control
which device drivers are applied by the Auto Apply Drivers task sequence
step.

5. On the Add Driver to Packages page, choose whether to add the drivers to a
package.

Select the driver packages that are used to distribute the device drivers.

If necessary, select New Package to create a new driver package. When you
create a new driver package, provide a network share that's not in use by
other driver packages.

If the package has already been distributed to distribution points, select Yes
in the dialog box to update the boot images on distribution points. You can't
use device drivers until they're distributed to distribution points. If you select
No, run the Update Distribution Point action before using the boot image. If
the driver package has never been distributed, you must use the Distribute
Content action in the Driver Packages node.

6. On the Add Driver to Boot Images page, choose whether to add the device drivers
to existing boot images.

７ Note

Add only storage and network drivers to the boot images.

Select Yes in the dialog box to update the boot images on distribution points.
You can't use device drivers until they're distributed to distribution points. If
you select No, run the Update Distribution Point action before using the
boot image. If the driver package has never been distributed, you must use
the Distribute Content action in the Driver Packages node.

Configuration Manager warns you if the architecture for one or more drivers
doesn't match the architecture of the boot images that you selected. If they
don't match, select OK. Go back to the Driver Details page, and clear the
 drivers that don't match the architecture of the selected boot image. For
example, if you select an x64 and x86 boot image, all drivers must support
both architectures. If you select an x64 boot image, all drivers must support
the x64 architecture.

７ Note
The architecture is based on the architecture reported in the INF from
the manufacturer.
If a driver reports it supports both architectures, then you can import
it into either boot image.

Configuration Manager warns you if you add device drivers that aren't
network or storage drivers to a boot image. In most cases, they aren't
necessary for the boot image. Select Yes to add the drivers to the boot
image, or No to go back and modify your driver selection.

Configuration Manager warns you if one or more of the selected drivers

aren't properly digitally signed. Select Yes to continue, and select No to go
back and make changes to your driver selection.

7. Complete the wizard.

Manage device drivers in a driver package

Use the following procedures to modify driver packages and boot images. To add or
remove a driver, first locate it in the Drivers node. Then edit the packages or boot
images with which the selected driver is associated.

1. In the Configuration Manager console, go to the Software Library workspace.

Expand Operating Systems, and then select the Drivers node.

2. Select the device drivers that you want to add to a driver package.

3. On the Home tab of the ribbon, in the Driver group, select Edit, and then choose
Driver Packages.

4. To add a device driver, select the check box of the driver packages to which you
want to add the device drivers. To remove a device driver, clear the check box of
the driver packages from which you want to remove the device driver.

If you're adding device drivers that are associated with driver packages, you can
optionally create a new package. Select New Package, which opens the New
 Driver Package dialog box.

5. If the package has already been distributed to distribution points, select Yes in the
dialog box to update the boot images on distribution points. You can't use device
drivers until they're distributed to distribution points. If you select No, run the
Update Distribution Point action before using the boot image. If the driver
package has never been distributed, you must use the Distribute Content action in
the Driver Packages node. Before the drivers are available, you must update the
driver package on distribution points.

Select OK when finished.

Manage device drivers in a boot image

You can add to boot images Windows device drivers that have been imported into the
catalog. Use the following guidelines when you add device drivers to a boot image:

Add only storage and network drivers to boot images. Other types of drivers aren't
usually required in Windows PE. Drivers that aren't required unnecessarily increase
the size of the boot image.

Add only device drivers to a boot image for the version of Windows PE. For
example, if you're using the Windows ADK for Windows 11, only add Windows 11
drivers.

Make sure that you use the correct device driver for the architecture of the boot
image. Don't add an x86 device driver to an x64 boot image.

Process to modify the device drivers associated with a boot image

1. In the Configuration Manager console, go to the Software Library workspace.

Expand Operating Systems, and then select the Drivers node.

2. Select the device drivers that you want to add to the driver package.

3. On the Home tab of the ribbon, in the Driver group, select Edit, and then choose
Boot images.

4. To add a device driver, select the check box of the boot image to which you want
to add the device drivers. To remove a device driver, clear the check box of the
boot image from which you want to remove the device driver.

5. If you don't want to update the distribution points where the boot image is stored,
clear the Update distribution points when finished check box. By default, the
 distribution points are updated when the boot image is updated.

Select Yes in the dialog box to update the boot images on distribution points.
You can't use device drivers until they're distributed to distribution points. If
you select No, run the Update Distribution Point action before using the
boot image. If the driver package has never been distributed, you must use
the Distribute Content action in the Driver Packages node.

Configuration Manager warns you if the architecture for one or more drivers
doesn't match the architecture of the boot images that you selected. If they
don't match, select OK. Go back to the Driver Details page and clear the
drivers that don't match the architecture of the selected boot image. For
example, if you select an x64 and x86 boot image, all drivers must support
both architectures. If you select an x64 boot image, all drivers must support
the x64 architecture.

７ Note
The architecture is based on the architecture reported in the INF from
the manufacturer.
If a driver reports it supports both architectures then you can import
it into either boot image.

Configuration Manager warns you if you add device drivers that aren't
network or storage drivers to a boot image. In most cases, they aren't
necessary for the boot image. Select Yes to add the drivers to the boot image
or No to go back and modify your driver selection.

Configuration Manager warns you if one or more of the selected drivers

aren't properly digitally signed. Select Yes to continue or select No to go back
and make changes to your driver selection.

Additional actions for device drivers

You can do additional actions to manage drivers when you select them in the Drivers
node.

Categorize
Clears, manages, or sets an administrative category for the selected drivers.
Delete (driver)
Removes the driver from the Drivers node and also removes the driver from the
associated distribution points.

Disable
Prohibits the driver from being installed. This action temporarily disables the driver. The
task sequence can't install a disabled driver when you deploy an OS.

７ Note

This action only prevents drivers from installing using the Auto Apply Driver task
sequence step.

Enable

Lets Configuration Manager client computers and task sequences install the device
driver when you deploy the OS.

Move (driver)
Moves the device driver to another folder in the Drivers node.

Properties (driver)
Opens the Properties dialog box. Review and change the properties of the driver. For
example, change its name and description, enable or disable it, and specify which
platforms it can run on.

Use task sequences to install drivers

Use task sequences to automate how the OS is deployed. Each step in the task sequence
can do a specific action, such as installing a driver. You can use the following two task
sequence steps to install device drivers when you deploy an OS:

Auto Apply Drivers: This step lets you automatically match and install device
drivers as part of an operating system deployment. You can configure the task
sequence step to install only the best matched driver for each detected hardware
device. Alternatively, specify that the step installs all compatible drivers for each
 detected hardware device, and then let Windows Setup choose the best driver. You
can also specify a driver category to limit the drivers that are available for this step.

Apply Driver Package: This step lets you make all device drivers in a specific driver
package available for Windows Setup. In the specified driver packages, Windows
Setup searches for the device drivers that are required. When you create stand-
alone media, you must use this step to install device drivers.

When you use these task sequence steps, you can also specify how the drivers are
installed on the computer where you deploy the OS. For more information, see Manage
task sequences to automate tasks.

Driver reports
You can use several reports in the Driver Management reports category to determine
general information about the device drivers in the driver catalog. For more information
about reports, see Introduction to reporting.

Next steps
Manage task sequences to automate tasks
Manage user state in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use Configuration Manager task sequences to capture and restore the user
state data in OS deployment scenarios where you want to keep the user state of the
current OS. For example:

Deployments where you want to capture the user state from one computer to
restore it on another computer.

Update deployments where you want to capture and restore the user state on the
same computer.

Configuration Manager uses the User State Migration Tool (USMT) 10.0 to manage the
migration of user state data from a source computer to a destination computer after the
operating system installation completes. For more information about common
migration scenarios for the USMT 10.0, see Common Migration Scenarios.

Capture user state data

When you capture user state, you can store the user state data on the destination
computer or on a state migration point. To store the user state on a state migration
point, first configure a site system server to host the role. To store the user state on the
destination computer, configure the task sequence to store the data locally using links.

７ Note

The links that Windows uses to store the user state locally are referred to as hard-
links. A hard-link migration store is a USMT 10.0 feature. It scans the computer for
user files and settings and then creates a directory of hard-links to those files.
USMT then uses the hard-links to restore the user data after the task sequence
deploys the new OS.

） Important
 You can't use a state migration point and use hard-links to store the user state data
at the same time.

When USMT captures the user state, it can store the information in one of the following
ways:

Store the data remotely on a state migration point. The Capture User State task
sequence step sends the data to the server. After the task sequence deploys the
OS, the Restore User State step downloads the data from the server and restores
the user state on the destination computer.

Store the data locally to a specific location. In this scenario, the Capture User State
step copies the user data to a specific location on the destination computer. After
the task sequence deploys the OS, the Restore User State step gets the user data
from that local location.

Use hard-links. In this scenario, the user state data remains on the drive when the
task sequence removes the old OS. After the task sequence deploys the OS, the
Restore User State step uses the hard-links to restore the user state data to its
original location.

Store user state data on a state migration point

To store the user state data on a state migration point, use the following steps:

1. Configure a state migration point to store the user state data.

2. Create a computer association between the source computer and the destination
computer. Create this association before you capture the user state on the source
computer.

3. Create a task sequence to capture and restore user state. Specifically, add the
following task sequence steps to capture user data from a computer, store the user
date on a state migration point, and restore the user data to a computer:

Request State Store: Requests access to a state migration point when

capturing state from a computer or restoring state to a computer.

Capture User State: Runs USMT to capture and store the user state data on
the state migration point.

Restore User State: Runs USMT to restore the data from a state migration
point to the destination computer.
 Release State Store: Notifies the state migration point that the capture or
restore action is complete.

Store user data locally

To store the user state data locally, create a task sequence to capture and restore user
state. Specifically, add the following task sequence steps to capture user data from a
computer and restore it:

Capture User State: Run USMT to capture and store the user state to a local folder,
with or without hard-links.

Restore User State: Run USMT to restore the data from the local store to the
destination computer.

７ Note

The user state data that the hard-links reference remains on the computer
after the task sequence removes the old OS.

The state migration point

The state migration point stores user state data. The task sequence captures it from one
computer and then restores it on another computer. When you capture user settings for
an OS deployment on the same computer, you can store the data on the same
computer by using hard-links or you can use a state migration point. For some
deployments, when you create the state store, Configuration Manager automatically
creates an association between the state store and the destination computer.

For more information about the state migration point and the steps to configure it, see
State migration point.

Computer associations
You use a computer association when you install an OS on new hardware and restore
user data settings from another computer. The association defines the relationship
between the source and destination computers. The source computer is an existing
computer that Configuration Manager manages. It has the original user state. The
destination computer is a new computer with a new OS. You restore the user state to
the destination computer.
 ７ Note

It's not supported to create a computer association between computers located in

a Configuration Manager parent site with computers located in a child site.
Computer associations are site specific and don't replicate.

Create a computer association

1. In the Configuration Manager console, go to the Assets and Compliance
workspace, and select the User State Migration node.

2. On the Home tab, in the Create group, select Create Computer Association.

3. On the Computer Association tab:

a. For the Source computer, select Search. Locate and select the existing
computer that has the user state.

b. Repeat this process for the Destination computer. You may need to Import
computer information to predefine the device record.

4. Switch to the User Accounts tab to specify the user accounts to migrate to the
destination computer. Select one of the following migration behaviors:

Capture and restore all user accounts: Use this option to create multiple
associations to the same source computer.

Capture all user accounts and restore specified accounts: This option
captures all user accounts from the source computer and only restores the
accounts that you specify to the destination computer. You can also use this
setting to create multiple associations to the same source computer.

Capture and restore specified user accounts: This option captures and
restores only the accounts that you specify. When you select this option, you
can't create multiple associations to the same source computer. This value is
the default option.

Select the new button (gold asterisk) to add user accounts from Active Directory.

When a deployment fails

If the OS deployment fails, use the USMT 10.0 LoadState tool to manually get the user
state data that the task sequence captured. Use this process for data stored on a state
migration point or saved locally on the computer. For more information on command-
line options, see LoadState Syntax.

Next steps
State migration point

Create a task sequence to capture and restore user state

Prepare for unknown computer
deployments in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use the information in this topic to deploy operating systems to unknown computers in
your Configuration Manager environment. An unknown computer is a computer that is
not managed by Configuration Manager. This means that there is no record of these
computers in the Configuration Manager database. Unknown computers include the
following:

A computer where the Configuration Manager client is not installed

A computer that is not imported into Configuration Manager

A computer that is not been discovered by Configuration Manager

You can deploy operating systems to unknown computers with the following
deployment methods:

Use PXE to deploy Windows over the network

Use bootable media to deploy an operating system

Use prestaged media to deploy an operating system

Unknown computer deployment workflow

The following is the basic workflow to deploy an operating system to an unknown
computer:

Select an unknown computer object to use in the deployment. You can deploy the
operating system to one of the unknown computer objects in the All Unknown
Computers collection or you can add the objects in the All Unknown Computer
collection to another collection. Configuration Manager provides two unknown
computer objects in the All Unknown Computers collection. One object is for x86
computers and the other object is for x64 computers.

７ Note
 The x86 Unknown Computer object is for computers that are only x86
capable. The x64 Unknown Computer object is for computers that are x86
and x64 capable. In other words, these objects describe the architecture of the
destination computer. They do not describe the operating system that you
want to deploy to the destination computer.

Configure a PXE-enabled distribution point or create media to support unknown

computer deployments.

Deploy the task sequence to install the operating system.

Unknown Computer Installation Process

When a computer is first started from PXE or from media, Configuration Manager checks
to see if a record for that computer exists in the Configuration Manager database. If
there is a record, Configuration Manager then checks to see if there are any task
sequences deployed to the record. If there is not a record, Configuration Manager
checks to see if there are any task sequences deployed to an unknown computer object.
In either case, Configuration Manager then performs one of the following actions:

If there is an available task sequence, Configuration Manager prompts the user to

run the task sequence.

If there is a required task sequence, Configuration Manager automatically runs the

task sequence.

If a task sequence is not deployed for the record, Configuration Manager

generates an error that there is no deployed task sequence for the destination
computer.

When an unknown computer is started, Configuration Manager recognizes the

computer as an unprovisioned computer rather than an unknown computer. This
means that the computer can now receive the task sequences that were deployed
to the unknown computer object. The deployed task sequence then installs an
operating system image that must include the Configuration Manager client.

After the Configuration Manager client is installed, a record for the computer is
created and the computer is listed in the appropriate Configuration Manager
collection. If the computer fails to install the operating system image or the
Configuration Manager client, an "Unknown" record for the computer is created
and the computer appears in the All Systems collection.
 ７ Note

During the installation of the operating system image, the task sequence can
retrieve collection variables but not computer variables from this computer.

Enabling Unknown Computer Support

Use the following to enable unknown computer support when you deploy an operating
system by using PXE, bootable media, and prestaged media.

PXE

Select the Enable unknown computer support check box on the PXE tab for a
distribution point that is enabled for PXE. For more information, see Configuring
distribution points to accept PXE requests.

Bootable media

Select the Enable unknown computer support check box on the Security page of
the Create Task Sequence Media Wizard. For more information, see Configuring
distribution points to accept PXE requests and Use PXE to deploy Windows over
the network with Configuration Manager.

Prestaged media

Select the Enable unknown computer support check box on the Security page of
the Create Task Sequence Media Wizard. For more information, see Create
prestaged media with Configuration Manager.
Associate users with a destination
computer in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you use Configuration Manager to deploy operating systems, you can associate
users with the destination computer. This option works whether a single user or multiple
users are the primary users of the destination computer.

User device affinity supports user-centric management for when you deploy
applications. When you associate a user with the destination computer on which to
install an OS, you can later deploy applications to that user, and the applications
automatically install on the destination computer. While you can configure support for
user device affinity during OS deployment, you can't use user device affinity to deploy
the OS.

For more information about user device affinity, see Link users and devices with user
device affinity.

There are several methods by which you can integrate user device affinity into your OS
deployments. You can integrate user device affinity into PXE deployments, bootable
media deployments, and pre-staged media deployments.

Create a task sequence that includes the

SMSTSAssignUsersMode variable
Add the SMSTSAssignUsersMode variable to the beginning of your task sequence by
using the Set Task Sequence Variable step. This variable specifies how the task sequence
handles the user information.

For more information, see Task sequence variables.

Create a prestart command that gathers the user

information
The prestart command can be a VBScript with an input box. It can also be an HTML
application (HTA) that validates the user data that they enter.
This prestart command must set the SMSTSUDAUsers variable that's used when the task
sequence runs. This variable can be set on a computer, a collection, or a task sequence
variable.

For more information, see Task sequence variables.

Configure how distribution points and media associate

the user with the destination computer
The distribution point or media supports associating users with the destination
computer where the OS is deployed. Use one of the following methods:

Configure a distribution point to accept PXE boot requests

Create bootable media
Create pre-staged media

Configuring user device affinity support doesn't have a built-in method to validate the
user identity. This behavior is important when a technician is provisioning the computer
and enters the information on behalf of the user. In addition to setting how task
sequence handles the user information, configuring these options on the distribution
point and media provides the ability to restrict the deployments that are started from a
PXE boot or from a specific type of media.
Prepare Windows PE peer cache to
reduce WAN traffic in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you deploy a new operating system in Configuration Manager, computers that
run the task sequence can use Windows PE Peer Cache to obtain content from a local
peer (a peer cache source) instead of downloading content from a distribution point.
This helps minimize wide area network (WAN) traffic in branch office scenarios where
there is no local distribution point.

Windows PE Peer Cache is similar to Windows BranchCache, but functions in the

Windows Preinstallation Environment (Windows PE). The following terms are used to
describe the clients that use Windows PE Peer Cache:

A peer cache client is a computer that is configured to use Windows PE Peer

Cache.

A peer cache source is a client that is configured for peer cache and that makes
content available to other peer cache clients that request that content.

Use the following sections to manage Peer Cache.

Objects stored on a Peer Cache source

A task sequence configured to use Windows PE Peer Cache can get the following
content objects while running in Windows PE:

Operating system image

Driver package

Packages and Programs (When the client continues to run the task sequence in the
full operating system, the client gets this content from a peer cache source if the
task sequence was originally configured for peer cache when running in Windows
PE.)

Additional boot images

 The following content objects never transfer using peer cache. Instead, they
transfer from a distribution point or by Windows BranchCache if you have
configured Windows BranchCache in your environment:

Applications

Software updates

How does Windows PE Peer Cache work?

Consider a scenario with a branch office that does not have a distribution point but does
have several clients enabled to use Windows PE Peer Cache. You deploy the task
sequence configured to use peer cache to several clients that are configured to be part
of the peer cache source. The first client to run the task sequence broadcasts a request
for a peer with the content. It doesn't find one so it gets the content from a distribution
point across the WAN. The client installs the new image and then stores the content in
its Configuration Manager client cache so it can function as a peer cache source to other
clients. When the next client runs the task sequence, it broadcasts a request on the
subnet for a peer cache source, and that first client responds and makes its cached
content available.

Determine what clients will be part of the

Windows PE Peer Cache source
To help you determine what computers to select as a Windows PE Peer Cache source,
there are several things that you should consider:

The Windows PE Peer Cache source should be a desktop computer that is always
powered on and available to peer cache clients.

The Windows PE Peer Cache has a client cache size sufficient to store the images.

Requirements for a client to use a Windows PE

Peer Cache source
For clients to use a Windows PE Peer Cache source, they must meet the following
requirements:

The Configuration Manager client must be able to communicate across the

following ports on your network:
 Port for the initial network broadcast to find a peer cache source. By default, this
is UDP port 8004.

Port for content downloading from a peer cache source (HTTP and HTTPS). By
default, this is TCP port 8003.

For more information, see Ports used for connections.

 Tip

Clients will use HTTPS to download content when it is available. However,

the same port number is used for either HTTP or HTTPS.

Configure the client cache on clients to ensure they have enough space to hold
and store the images you deploy. Windows PE Peer Cache does not affect the
configuration or behavior of the client cache.

The deployment options for the task sequence deployment must be configured as
Download content locally when needed by task sequence.

Configure Windows PE Peer Cache

You can use the following methods to provision a client with peer cache content so it
can serve as a peer cache source:

A peer cache client that cannot find a peer cache source with the content will
download it from a distribution point. If the client receives client settings that
enable peer cache and the task sequence is configured to preserve the cached
content, the client becomes a peer cache source.

A peer cache client can get content from another peer cache client (a peer cache
source). Because the client is configured for peer cache, when it runs a task
sequence that is configured to preserve the cached content, the client becomes a
peer cache source.

A client runs a task sequence that includes the optional step, Download Package
Content, which is used to prestage the relevant content that is included in the
Windows PE Peer Cache task sequence. When you use this method:

The client does not need to install the image that is being deployed.

In addition to the Download Package Content option, the task sequence must
also use the Configuration Manager client cache option. You use this option to
 store the content in the clients cache so the client can act as a peer cache
source for other peer cache clients.

The following procedures will help you configure Windows PE Peer Cache on
clients and configure task sequences that support peer cache.

To configure the Windows PE Peer Cache source

computers
1. In the Configuration Manager console, navigate to Administration > Client
Settings, and then create a new Custom Client Device Settings or edit an existing
settings object. You can also configure this for the Default Client Settings object.

 Tip

Use a custom settings object to manage which clients receive this

configuration. For example, you might want to avoid configuring this on the
laptops of users who are frequently on the move. A highly mobile system can
be a poor source to provide content to other peer cache clients.

Also remember that when you configure this setting as part of the Default
Client Settings, the configuration applies to all clients in your environment.

2. Under Client Cache Settings, set Enable Configuration Manager client in full OS
to share content to Yes.

By default, only HTTP is enabled. If you want to enable clients to download

content over HTTPS, set Enable HTTPS for client peer communication to Yes.

By default, the port for broadcasts is set to 8004 and the port for content
downloads is set to 8003. You can change both.

3. Save and deploy the Client Settings to the clients that you select to be a peer
cache source.

After a device is configured with this settings object, the device is configured to act
as a peer cache source. These settings should be deployed to potential peer cache
clients to configure the required ports and protocols.

Configure a task sequence for Windows PE Peer Cache

When you configure the task sequence, use the following task sequence variables as
Collection Variables on the collection to which the task sequence is deployed:

SMSTSPeerDownload

Value: TRUE

This enables the client to use Windows PE Peer Cache.

SMSTSPeerRequestPort

Value: <Port number>

When you do not use the default port configured in the Client Settings (8004), you
must configure this variable with a custom value of the network port to use for the
initial broadcast.

SMSTSPreserveContent

Value: TRUE

This flags the content in the task sequence to be retained in the Configuration
Manager client cache after the deployment. This is different than using
SMSTSPersisContent which only preserves the content for the duration of the task
sequence and uses the task sequence cache, not the Configuration Manager client
cache.

For more information, see Task sequence variables.

Validate the success of using Windows PE peer cache

After you use Windows PE peer cache to deploy and install a task sequence, you can
confirm that peer cache was successfully used in the process by viewing the smsts.log
on the client that ran the task sequence.

In the log, locate an entry similar to the following where <SourceServerName> identifies
the computer from which the client obtained the content. This computer should be a
peer cache source, and not a distribution point server. Other details will vary based on
your local environment and configurations.

<![LOG[Downloaded file from http://

<SourceServerName>:8003/SCCM_BranchCache$/SS10000C/sccm?/install.wim to
C:\_SMSTaskSequence\Packages\SS10000C\install.wim ]LOG]!>
<time="14:24:33.329+420" date="06-26-2015"
component="ApplyOperatingSystem" context="" type="1" thread="1256"
file="downloadcontent.cpp:1626">
OS deployment methods with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

There are different methods that you can use to deploy an OS in your Configuration
Manager environment:

Use PXE to deploy Windows over the network

Use Software Center to deploy Windows over the network

Use bootable media to deploy Windows over the network

Use standalone media to deploy Windows without using the network

Use multicast to deploy Windows over the network

Create an image for an OEM in factory or a local depot

Create a task sequence for non-OS deployments

Deploy Windows to Go
Use PXE to deploy Windows over the
network with Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Preboot execution environment (PXE)-initiated OS deployments in Configuration

Manager let clients request and deploy operating systems over the network. For this
deployment method, you send the OS image and the boot images to a PXE-enabled
distribution point.

７ Note

When you create an OS deployment that targets only x64 BIOS computers, both
the x64 boot image and x86 boot image must be available on the distribution
point.

You can use PXE-initiated OS deployments in the following scenarios:

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Complete the steps in one of the OS deployment scenarios, and then use the sections in
this article to prepare for PXE-initiated deployments.

２ Warning

If you use PXE deployments, and configure device hardware with the network
adapter as the first boot device, these devices can automatically start an OS
deployment task sequence without user interaction. Deployment verification
doesn't manage this configuration. While this configuration may simplify the
process and reduce user interaction, it puts the device at greater risk for accidental
reimage.

Starting in version 2006, PXE-based task sequences can download cloud-based content.
The PXE-enabled distribution point still requires the boot image, and the device needs
an intranet connection to the management point. It can then get additional content
from a content-enabled cloud management gateway (CMG). For more information, see
Bootable media support for cloud-based content.
Configure distribution points for PXE
To deploy operating systems to Configuration Manager clients that make PXE boot
requests, configure one or more distribution points to accept PXE requests. Then the
distribution point responds to PXE boot requests, and determines the appropriate
deployment action. For more information, see Install or modify a distribution point.

７ Note

When you configure a single PXE-enabled distribution point to support multiple

subnets, it's not supported to use DHCP options. To allow the network to forward
client PXE requests to PXE-enabled distribution points, configure IP helpers on the
routers.

When you enable a PXE responder on a distribution point without Windows Deployment
Service, it can be on the same server as the DHCP service. Add the following settings to
support this configuration:

Set the DWord value DoNotListenOnDhcpPort to 1 in the following registry key:

HKLM\Software\Microsoft\SMS\DP .

Set DHCP option 60 to PXEClient .

Restart the SCCMPXE and DHCP services on the server.

Prepare a PXE-enabled boot image

To use PXE to deploy an OS, distribute both x86 and x64 PXE-enabled boot images to
one or more PXE-enabled distribution points.

To enable PXE on a boot image, select Deploy this boot image from the PXE-
enabled distribution point from the Data Source tab in the boot image properties.

When you change the properties for the boot image, update and redistribute the
boot image to distribution points. For more information, see Distribute content.

Manage duplicate hardware identifiers

Configuration Manager may recognize multiple computers as the same device if they
have duplicate SMBIOS attributes or you use a shared network adapter. Mitigate these
issues by managing duplicate hardware identifiers in hierarchy settings. For more
information, see Manage duplicate hardware identifiers.
Create an exclusion list for PXE deployments

７ Note

In some circumstances, the process to Manage duplicate hardware identifiers may

be easier.

The behaviors of each can cause different results in some scenarios. The exclusion
list never boots a client with the listed MAC address, no matter what.

The duplicate ID list doesn't use the MAC address to find the task sequence policy
for a client. If it matches the SMBIOS ID, or if there's a task sequence policy for
unknown machines, the client still boots.

When you deploy operating systems with PXE, you can create an exclusion list on each
distribution point. Add the MAC addresses to the exclusion list of the computers you
want the distribution point to ignore. Listed computers don't receive the deployment
task sequences that Configuration Manager uses for PXE deployment.

1. Create a text file on the PXE-enabled distribution point. For example, name the file
pxeExceptions.txt.

2. Use a plain text editor, such as Notepad, to edit the file. Add the MAC addresses of
the computers that the PXE-enabled distribution point should ignore. Separate the
MAC address values by colons, and enter each address on a separate line. For
example: 01:23:45:67:89:ab

3. Save the text file on the PXE-enabled distribution point. You can save it to any
location on the server.

4. Edit the registry on the PXE-enabled distribution point. Browse to the following
registry path: HKLM\Software\Microsoft\SMS\DP . Create a MACIgnoreListFile string
value. Add the full path to the text file on the PXE-enabled distribution point.

２ Warning

If you use the Registry Editor incorrectly, you might cause serious problems
that may require you to reinstall Windows. Microsoft can't guarantee that you
can solve problems that result from using the Registry Editor incorrectly. Use
the Registry Editor at your own risk.
 5. After you make this registry change, restart the WDS service or PXE responder
service. You don't need to restart the server.

RamDisk TFTP block size and window size

You can customize the RamDisk TFTP block and window sizes for PXE-enabled
distribution points. If you've customized your network, a large block or window size
could cause the boot image download to fail with a time-out error. The RamDisk TFTP
block and window size customizations allow you to optimize TFTP traffic when using PXE
to meet your specific network requirements. To determine what configuration is most
efficient, test the customized settings in your environment. For more information, see
Customize the RamDisk TFTP block size and window size on PXE-enabled distribution
points.

Configure deployment settings

To use a PXE-initiated OS deployment, configure the deployment to make the OS
available for PXE boot requests. Configure available operating systems on the
Deployment Settings tab in the deployment properties. For the Make available to the
following setting, select one of the following options:

Configuration Manager clients, media, and PXE

Only media and PXE

Only media and PXE (hidden)

Option 82 during PXE DHCP handshake

Configuration Manager supports option 82 during the PXE DHCP handshake with the
PXE responder without WDS. If you require option 82, make sure to use the PXE
responder without WDS. Configuration Manager doesn't support option 82 with WDS.

Deploy the task sequence

Deploy the OS to a target collection. For more information, see Deploy a task sequence.
When you deploy operating systems by using PXE, you can configure whether the
deployment is required or available.

Required deployment: Required deployments use PXE without any user

intervention. The user can't bypass the PXE boot. However, if the user cancels the
 PXE boot before the distribution point responds, the OS isn't deployed.

Available deployment: Available deployments require that the user is present at

the destination computer. A user must press the F12 key to continue the PXE boot
process. If a user isn't present to press F12, the computer boots into the current
OS, or from the next available boot device.

You can redeploy a required PXE deployment by clearing the status of the last PXE
deployment assigned to a Configuration Manager collection or a computer. For more
information on the Clear Required PXE Deployments action, see Manage clients or
Manage collections. This action resets the status of that deployment and reinstalls the
most recent required deployments.

） Important

The PXE protocol isn't secure. Make sure that the PXE server and the PXE client are
located on a physically secure network, such as in a data center, to prevent
unauthorized access to your site.

How the boot image is selected for PXE

When a client boots with PXE, Configuration Manager provides the client with a boot
image to use. Configuration Manager uses a boot image with an exact architecture
match. If a boot image with the exact architecture isn't available, Configuration Manager
uses a boot image with a compatible architecture.

The following list provides details about how a boot image is selected for clients
booting with PXE:

1. Configuration Manager looks in the site database for the system record that
matches the MAC address or SMBIOS of the client that's trying to boot.

７ Note

If a computer that's assigned to a site boots to PXE for a different site, the
policies aren't visible for the computer. For example, if a client is already
assigned to site A, the management point and distribution point for site B
aren't able to access the policies from site A. The client doesn't successfully
PXE boot.
 2. Configuration Manager looks for task sequences that are deployed to the system
record found in step 1.

3. In the list of task sequences found in step 2, Configuration Manager looks for a
boot image that matches the architecture of the client that's trying to boot. If a
boot image is found with the same architecture, that boot image is used.

If it finds more than one boot image, it uses the highest or most recent task
sequence deployment ID. In the case of a multi-site hierarchy, the higher letter site
would take precedence in that string comparison. For example, if they're both
matched otherwise, a year-old deployment from site ZZZ is selected over
yesterday's deployment from site AAA.

4. If a boot image isn't found with the same architecture, Configuration Manager
looks for a boot image that's compatible with the architecture of the client. It looks
in the list of task sequences found in step 2. For example, a 64-bit BIOS/MBR client
is compatible with 32-bit and 64-bit boot images. A 32-bit BIOS/MBR client is
compatible with only 32-bit boot images. UEFI clients are only compatible with
matching architecture. A 64-bit UEFI client is compatible with only 64-bit boot
images and a 32-bit UEFI client is compatible with only 32-bit boot images.

Next steps
User experiences for OS deployment
Use Software Center to deploy Windows
over the network with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can make a task sequence that installs an OS available in Software Center. A user
can run a task sequence from Software Center for the following OS deployment
scenarios:

Refresh an existing computer with a new version of Windows

Upgrade Windows to the latest version

Create a task sequence for non-OS deployments

Complete the steps in one of those OS deployment scenarios. Then use the following
sections to prepare for deployments that are available in Software Center.

Deploy the task sequence

Deploy the task sequence to a target collection. For more information, see Deploy a task
sequence.

On the Deployment Settings page of the deployment, for the Make available to the
following setting, select one of the following options:

Only Configuration Manager Clients

Configuration Manager clients, media and PXE

Also configure whether the deployment is required or available:

Required deployment: Required deployments make the task sequence available in

Software Center. It automatically starts at the configured deadline.

Available deployment: The task sequence is available in Software Center, and a

user can install it on demand.

After you create the deployment, clients in the target collection will show the task
sequence in Software Center.
 ７ Note

If multiple users are signed in on the device, task sequence deployments might not
appear in Software Center until other users are signed out.

Next steps
User experiences for OS deployment
Use bootable media to deploy Windows
over the network with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Bootable media only includes the boot image and a pointer to the task sequence. It
downloads the OS image and other referenced content from the network. Since the
bootable media doesn't contain much content, you can update the task sequence and
most content without having to replace the media.

Deploy operating systems over the network with boot media in the following scenarios:

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Replace an existing computer and transfer settings

Complete the steps in one of the OS deployment scenarios and then use the following
sections to use bootable media to deploy the OS.

Configure deployment settings

When you use bootable media to start the OS deployment process, configure the task
sequence deployment to make the OS available to the media. Set this option on the
Deployment Settings page of the deployment. For the Make available to the following
setting, select one of the following options:

Configuration Manager clients, media, and PXE

Only media and PXE

Only media and PXE (hidden)

For more information, see Deploy a task sequence.

Create the bootable media

When you create bootable media, specify whether it's a USB flash drive or CD/DVD set.
The computer that starts the media must support the option that you choose as a
bootable drive. For more information, see Create bootable media.

Install the OS from bootable media

To install the OS, insert the bootable media, and then power on the computer.

Support for cloud-based content

Starting in version 2006, bootable media can download cloud-based content. For
example, you send a USB key to a user at a remote office to reimage their device. Or an
office that has a local PXE server, but you want devices to prioritize cloud services as
much as possible. Instead of further taxing the WAN to download large OS deployment
content, boot media and PXE deployments can now get content from cloud-based
sources.

For more information, see Bootable media support for cloud-based content.

Next steps
User experiences for OS deployment
Use standalone media to deploy
Windows without using the network
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Standalone media in Configuration Manager contains everything required to deploy an

OS on a computer. The media includes the boot image, OS image, task sequence policy,
applications, drivers, and more. Standalone media deployments let you deploy
operating systems in the following conditions:

In environments where it isn't practical to copy an OS image or other large

packages over the network.

In environments without network connectivity or low-bandwidth network

connectivity.

Use standalone media in the following OS deployment scenarios:

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Upgrade Windows to the latest version

Complete the steps in one of these OS deployment scenarios. Then use the following
sections to prepare for and create the standalone media.

Unsupported task sequence actions

When you use standalone media, Configuration Manager doesn't support the following
actions in the task sequence:

The Auto Apply Drivers step. Automatic application of device drivers from the
driver catalog isn't supported. To make a specific set of drivers available to
Windows Setup, use the Apply Driver Package step.

Installing software updates.

Installing software before deploying the OS.

Associating users with the destination computer for user device affinity.
 Dynamic package installs with the Install Package step.

Dynamic application installs with the Install Application step.

Known issue with Install Package step and media created at the
central administration site
An error might occur if your task sequence includes the Install Package step and you
create the stand-alone media at a central administration site (CAS). The CAS doesn't
have the necessary client configuration policies. These policies are required to enable
the software distribution agent when the task sequence runs. The following error might
appear in the CreateTsMedia.log file: WMI method
SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, create the stand-alone
media at a primary site that has the software distribution agent enabled.

Alternatively, use a custom Run PowerShell Script step. Add it after the Setup Windows
and ConfigMgr step and before the first Install Package step. The Run PowerShell
Script step runs the following commands to enable the software distribution agent
before the first Install Package step:

PowerShell

$namespace = "root\ccm\policy\machine\requestedconfig"

$class = "CCM_SoftwareDistributionClientConfig"

$classArgs = @{

ComponentName = 'Enable SWDist'

Enabled = 'true'

LockSettings='TRUE'

PolicySource='local'

PolicyVersion='1.0'

SiteSettingsKey='1'

Set-WmiInstance -Namespace $namespace -Class $class -Arguments $classArgs -

PutType CreateOnly

Configure deployment settings

When you use standalone media to start the OS deployment process, configure the
deployment to make the OS available to media. On the Deployment Settings page of
the deployment, for the Make available to the following setting, select one of the
following options:
 Configuration Manager clients, media, and PXE

Only media and PXE

Only media and PXE (hidden)

Create the standalone media

You can specify whether the standalone media is a USB flash drive or CD/DVD set. The
computer that will start the media must support the option that you choose as a
bootable drive. For more information, see Create standalone media.

Install the OS from standalone media

To install the OS, insert the standalone media to the computer, and then power it on.

Next steps
User experiences for OS deployment
Use multicast to deploy Windows over
the network with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Multicast is a network optimization method that you can use when multiple clients are
likely to download the same OS image at the same time. When you use multicast,
multiple computers simultaneously download the OS image as it's multicast by the
distribution point. This behavior is instead of each client downloading a copy of the
image over a separate connection from the distribution point.

Deploy operating systems over the network by using multicast in the following OS
deployment scenarios:

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Complete the steps in one of these OS deployment scenarios. Then use the following
sections to support multicast.

Configure distribution points for multicast

To use multicast, configure at least one distribution point to support multicast. For more
information, see Install and configure distribution points.

For a list of ports required to support multicast, see Ports.

Prepare an OS image for multicast

You need to configure the OS image to support multicast. For more information, see
Prepare the OS image for multicast deployments.

Deploy the task sequence

Deploy the OS to a target collection. For more information, see Deploy a task sequence.
Next steps
User experiences for OS deployment
Create an image for an OEM in factory
or a local depot with Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Prestaged media deployments in Configuration Manager let you deploy an OS to a

computer that isn't fully provisioned. The prestaged media is a Windows image (WIM)
file. The manufacturer (OEM) can install it on a bare-metal computer, or you can use it in
a staging center that's separate from your production environment.

This method of deployment can reduce network traffic because the boot image and OS
image are already on the destination computer. You can specify applications, packages,
and driver packages to also include in the prestaged media. After it installs the OS on
the computer, the task sequence first checks the prestaged cache for applications,
packages, or driver packages. If it can't find the necessary content, or there is a newer
revision available online, the task sequence downloads the content from a distribution
point.

Use prestaged media in the following OS deployment scenarios:

Install a new version of Windows on a new computer (bare metal)

Replace an existing computer and transfer settings

Complete the steps in one of these OS deployment scenarios. Then use the following
sections to prepare for and create the prestaged media.

Configure deployment settings

On the Deployment Settings page of the deployment, for the Make available to the
following setting, select one of the following options:

Configuration Manager clients, media, and PXE

Only media and PXE

Only media and PXE (hidden)

Create the prestaged media
Create the prestaged media file to send to the OEM or your local depot. For more
information, see Create prestaged media with Configuration Manager.

Send the prestaged media file

Send the media to the OEM or your local depot to prestage on the computers. They
apply the image file to a formatted hard disk on the computer.

Deliver the computer

When you deliver the computer to a user, and turn it on for the first time:

1. The computer starts with the prestaged boot image.

2. It checks a hash on the prestaged media to make sure it's valid.

3. The computer connects to the management point for available task sequences to
complete the process.

Next steps
User experiences for OS deployment
Create a task sequence for non-OS
deployments
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Task sequences in Configuration Manager are used to automate different kinds of tasks
within your environment. These tasks are primarily designed and tested for deploying
operating systems. Configuration Manager has many other features that should be the
primary technology that you use for the following scenarios:

Application installation

７ Note

Starting in version 2002, install complex applications using task sequences via
the application model. Add a deployment type to an app that's a task
sequence, either to install or uninstall the app. For more information, see
Create Windows applications.

Starting in version 2010, use the task sequence deployment type of an application
to deploy a task sequence to a user-based collection.

Software updates installation

Setting configuration

Also consider other Microsoft System Center automation technologies, such as

Orchestrator and Service Management Automation.

The power of task sequences lies in their flexibility and how you use them. They can
configure client settings, distribute software, update drivers, edit user states, and do
other tasks independent of OS deployment. You can create a custom task sequence to
add any number of tasks. The use of custom task sequences for non-OS deployment is
supported in Configuration Manager. However, if a task sequence results in unwanted or
inconsistent results, look at ways to simplify the operation:

Use simpler steps

Divide the actions across multiple task sequences
Take a phased approach to creating and testing the task sequence
Supported steps
The following steps are supported for use in a non-OS deployment custom task
sequence:

Check Readiness

Connect To Network Folder

Download Package Content

Install Application

Install Package

Install Software Updates

Restart Computer

Run Command Line

Run PowerShell Script

Run Task Sequence

Set Dynamic Variables

Set Task Sequence Variable

Next steps
Create a custom task sequence
Deploy Windows To Go with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

This topic provides the steps to provision Windows To Go in Configuration Manager.

Windows To Go is an enterprise feature of Windows 8 that enables the creation of a
Windows To Go workspace that can be booted from a USB-connected external drive on
computers that meet the Windows 7 or Windows 8 certification requirements,
regardless of the operating system running on the computer. Windows To Go
workspaces can use the same image enterprises use for their desktops and laptops and
can be managed the same way.

For more information about Windows To Go, see Windows To Go feature overview.

Provision Windows To Go
Windows To Go is an operating system stored on a USB-connected external drive. You
can provision the Windows To Go drive much like you provision other operating system
deployments. However, because Windows To Go is designed to be a user-centric and
highly mobile solution, you must take a slightly different approach to provisioning these
drives.

At a high level, Windows To Go is a two-phased deployment that allows you to

configure the Windows To Go device and prestage content for the operating system
deployment. You can achieve this with minimal impact to the user and limit downtime
for the user's computer. After you prestage the computer, you must complete the
provisioning process to ensure the computer is ready for the user. The provisioning
process is similar to the current operating system deployment process. The following
lists the general workflow to prestage content and provision Windows To Go:

1. Prerequisites to provision Windows To Go

2. Create prestaged media

3. Create a Windows To Go Creator package

4. Update the task sequence to enable BitLocker for Windows To Go

5. Deploy the Windows To Go Creator package and task sequence

 6. User runs the Windows To Go Creator

7. Configuration Manager configures and stages the Windows To Go drive

8. User logs in to Windows 8

Prerequisites to provision Windows To Go

Before you provision Windows To Go, you must complete the following in Configuration
Manager:

Distribute a boot image to a distribution point

Before you create prestaged media, you must distribute the boot image to a
distribution point.

７ Note

Boot images are used to install the operating system on the destination
computers in your Configuration Manager environment. They contain a
version of Windows PE that installs the operating system, as well as any
additional device drivers that are required. Configuration Manager provides
two boot images: One to support x86 platforms and one to support x64
platforms. You can also create your own boot images. For more information,
see Manage boot images.

Distribute the Windows 8 operating system image to a distribution point

Before you create prestaged media, you must distribute the Windows 8 operating
system image to a distribution point.

７ Note

Operating system images are .WIM format files and represent a compressed
collection of reference files and folders that are required to successfully install
and configure an operating system on a computer. For more information, see
Manage operating system images.

Create a Task Sequence to Deploy Windows 8

You must create a task sequence for a Windows 8 deployment that you will
reference when you create prestaged media. For more information, see Manage
 task sequences to automate tasks.

Create prestaged media

Prestaged media contains the boot image used to start the destination computer and
the operating system image that is applied to the destination computer. The computer
that you provision with prestaged media can be started by using the boot image. The
computer can then run an existing operating system deployment task sequence to
install a complete operating system deployment. The task sequence that deploys the
operating system is not included in the media.

You can add content, such as applications and device drivers, in addition to the
operating system image and boot image during the prestage phase. This reduces the
time it takes to deploy an operating system and reduces network traffic because the
content is already on the drive.

Use the following procedure to create the prestaged media.

To create prestaged media

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Operating Systems, and then click Task
Sequences.

3. On the Home tab, in the Create group, click Create Task Sequence Media to start
the Create Task Sequence Media Wizard.

4. On the Select Media Type page, specify the following information, and then click
Next.

Select Prestaged media.

Select Allow unattended operating system deployment to boot to the

Windows To Go deployment with no user interaction.

） Important

When you use this option with the SMSTSPreferredAdvertID custom

variable (set later in this procedure), no user interaction is required and
the computer will automatically boot to the Windows To Go deployment
when it detects a Windows To Go drive. The user is still prompted for a
password if the media is configured for password protection. If you use
 the Allow unattended operating system deployment setting without
configuring the SMSTSPreferredAdvertID variable, an error will occur
when you deploy the task sequence.

5. On the Media Management page, specify the following information, and then click
Next.

Select Dynamic media if you want to allow a management point to redirect

the media to another management point, based on the client location in the
site boundaries.

Select Site-based media if you want the media to contact only the specified
management point.

6. On the Media Properties page, specify the following information, and then click
Next.

Created by: Specify who created the media.

Version: Specify the version number of the media.

Comment: Specify a unique description of what the media is used for.

Media file: Specify the name and path of the output files. The wizard writes
the output files to this location. For example:
\\servername\folder\outputfile.wim

7. On the Security page, specify the following information, and then click Next.

Select Enable unknown computer support to allow the media to deploy an

operating system to a computer that is not managed by Configuration
Manager. There is no record of these computers in the Configuration
Manager database. Unknown computers include the following:

A computer where the Configuration Manager client is not installed

A computer that is not imported into Configuration Manager

A computer that is not discovered by Configuration Manager

Select Protect the media with a password and enter a strong password to
help protect the media from unauthorized access. When you specify a
password, the user must provide that password to use the prestaged media.

） Important
 As a security best practice, always assign a password to help protect the
prestaged media.

７ Note

When you protect the prestaged media with a password, the user is
prompted for the password even when the media is configured with the
Allow unattended operating system deployment setting.

For HTTP communications, select Create self-signed media certificate, and

then specify the start and expiration date for the certificate.

For HTTPS communications, select Import PKI certificate, and then specify
the certificate to import and its password.

For more information about this client certificate that is used for boot images,
see PKI certificate requirements.

User Device Affinity: To support user-centric management in Configuration

Manager, specify how you want the media to associate users with the
destination computer. For more information about how operating system
deployment supports user device affinity, see Associate users with a
destination computer.

Specify Allow user device affinity with auto-approval if you want the
media to automatically associate users with the destination computer. This
functionality is based on the actions of the task sequence that deploys the
operating system. In this scenario, the task sequence creates a relationship
between the specified users and destination computer when it deploys the
operating system to the destination computer.

Specify Allow user device affinity pending administrator approval if you

want the media to associate users with the destination computer after
approval is granted. This functionality is based on the scope of the task
sequence that deploys the operating system. In this scenario, the task
sequence creates a relationship between the specified users and the
destination computer, but waits for approval from an administrative user
before the operating system is deployed.

Specify Do not allow user device affinity if you do not want the media to
associate users with the destination computer. In this scenario, the task
 sequence does not associate users with the destination computer when it
deploys the operating system.

8. On the Task Sequence page, specify the Windows 8 task sequence that you
created in the previous section.

9. On the Boot image page, specify the following information, and then click Next.

） Important

The architecture of the boot image that is distributed must be appropriate for
the architecture of the destination computer. For example, an x64 destination
computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image. For Windows
8 certified computers in EFI mode, you must use an x64 boot image.

Boot image: Specify the boot image to start the destination computer.

Distribution point: Specify the distribution point that hosts the boot image.
The wizard retrieves the boot image from the distribution point and writes it
to the media.

７ Note

The administrative user must have Read access rights to the boot image
content on the distribution point. For more information, see Package
access account.

If you selected Site-based media on the Media Management page of this

wizard, in the Management point box, specify a management point from a
primary site.

If you selected Dynamic media on the Media Management page of the

wizard, in the Associated management points box, specify the primary site
management points to use and a priority order for the initial
communications.

10. On the Images page, specify the following information, and then click Next.

Image package: Specify the package that contains the Windows 8 operating
system image.
 Image index: Specify the image to deploy if the package contains multiple
operating system images.

Distribution point: Specify the distribution point that hosts the operating
system image package. The wizard retrieves the operating system image from
the distribution point and writes it to the media.

７ Note

The administrative user must have Read access rights to the operating
system image content on the distribution point. For more information,
see Package access account.

11. On the Select Application page, select application content to include in the media
file, and then click Next.

12. On the Select Package page, select additional package content to include in the
media file, and then click Next.

13. On the Select Driver Package page, select driver package content to include in the
media file, and then click Next.

14. On the Distribution Points page, select one or more distribution points that
contain the content required by the task sequence, and then click Next.

15. On the Customization page, specify the following information, and then click Next.

Variables: Specify the variables that the task sequence uses to deploy the
operating system. For Windows To Go, use the SMSTSPreferredAdvertID
variable to automatically select the Windows To Go deployment by using the
following format:

SMSTSPreferredAdvertID = {DeploymentID}, where DeploymentID is the

deployment ID associated with the task sequence that you will use to
complete the provisioning process for the Windows To Go drive.

 Tip

When you use this variable with a task sequence that is set to run
unattended (set earlier in this procedure), no user interaction is required
and the computer automatically boots to the Windows To Go
deployment when it detects a Windows To Go drive. The user is still
 prompted for a password if the media is configured for password
protection.

Prestart commands: Specify any prestart commands that you want to run
before the task sequence runs. Prestart commands can be a script or
executable that can interact with the user in Windows PE before the task
sequence runs to install the operating system. Configure the following for the
Windows To Go deployment:

OSDBitLockerPIN: BitLocker for Windows To Go requires a passphrase. Set

the OSDBitLockerPIN variable as part of a prestart command to set the
BitLocker passphrase for the Windows To Go drive.

２ Warning

After BitLocker is enabled for the passphrase, the user must enter the
passphrase each time the computer boots to the Windows To Go
drive.

SMSTSUDAUsers: Specifies the primary user of the destination computer.

Use this variable to collect the user name, which can then be used to
associate the user and device. For more information, see Associate users
with a destination computer.

 Tip

To retrieve the username, you can create an input box as part of the
prestart command, have the user enter their username, and then set
the variable with the value. For example, you can add the following
lines to the prestart command script file:

UserID = inputbox("Enter Username" ,"Enter your

username:","",400,0)

env("SMSTSUDAUsers") = UserID

For more information about how to create a script file to use as your
prestart command, see Prestart commands for task sequence media.

16. Complete the wizard.

 ７ Note

It can take an extended period of time for the wizard to complete the
prestaged media file.

Create a Windows To Go Creator package

As part of the Windows To Go deployment, you must create a package to deploy the
prestage media file. The package must include the tool that configures the Windows To
Go drive and extracts the prestaged media to the drive. Use the following procedure to
create the Windows To Go Creator package.

To create the Windows To Go Creator package

1. On the server to host the Windows To Go Creator package files, create a source
folder for the package source files.

７ Note

The computer account of the site server must have Read access rights to the
source folder.

2. Copy the prestaged media file that you created in the Create prestaged media
section to the package source folder.

3. Copy the Windows To Go Creator tool (WTGCreator.exe) to the package source

folder. The creator tool is available on any primary site server at the following
location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\Creator.

4. Create a package and program by using the Create Package and Program Wizard.

5. In the Configuration Manager console, click Software Library.

6. In the Software Library workspace, expand Application Management, and then

click Packages.

7. On the Home tab, in the Create group, click Create Package.

8. On the Package page, specify the name and description of the package. For
example, enter Windows To Go for the package name and specify Package to
 configure a Windows To Go drive using Configuration Manager for the package
description.

9. Select This package contains source files, specify the path to the package source
folder that you created in step 1, and then click Next.

10. On the Program Type page, select Standard program, and then click Next.

11. On the Standard Program page, specify the following:

Name: Specify the name of the program. For example, type Creator for the
program name.

Command Line: Type WTGCreator.exe /wim:PrestageName.wim, where

PrestageName is the name of prestaged file that you created and copied to
the package source folder for the Windows To Go Creator package.

Optionally, you can add the following options:

enableBootRedirect: command-line option to change the Windows To Go
startup options to allow boot redirection. When you use this option, the
computer will boot from USB without having to change the boot order in
the computer firmware or have the user select from a list of boot options
during startup. If a Windows To Go drive is detected, the computer boots
to that drive.

Run: Specify Normal to run the program based on the system and program
defaults.

Program can run: Specify whether the program can run only when a user is
logged on.

Run mode: Specify whether the program will run with the logged on users
permissions or with administrative permissions. The Windows To Go Creator
requires elevated permissions to run.

Select Allow users to view and interact with the program installation, and
then click Next.

12. On the Requirements page, specify the following:

Platform requirements: Select the applicable Windows 8 platforms to allow

provisioning.

Estimated disk space: Specify the size of the package source folder for the
Windows To Go Creator.
 Maximum allowed run time (minutes): Specifies the maximum time that the
program is expected to run on the client computer. By default, this value is
set to 120 minutes.

） Important

If you are using maintenance windows for the collection on which this
program is run, a conflict might occur if the Maximum allowed run time
is longer than the scheduled maintenance window. If the maximum run
time is set to Unknown, it will start during the maintenance window, but
will continue to run until it completes or fails after the maintenance
window is closed. If you set the maximum run time to a specific period
(not set to Unknown) that exceeds the length of any available
maintenance window, then that program will not be run.

７ Note

If the value is set to Unknown, Configuration Manager sets the

maximum allowed run time to 12 hours (720 minutes).

７ Note

If the maximum run time (whether set by the user or as the default
value) is exceeded, Configuration Manager stops the program if run with
administrative rights is selected and Allow users to view and interact
with the program installation is not selected on the Standard Program
page.

Click Next and complete the wizard.

Update the task sequence to enable BitLocker for

Windows To Go
Windows To Go enables BitLocker on an external bootable drive without the use of TPM.
Therefore, you must use a separate tool to configure BitLocker on the Windows To Go
drive. To enable BitLocker, you must add an action to the task sequence after the Setup
Windows and ConfigMgr step.

７ Note
 BitLocker for Windows To Go requires a passphrase. In the Create prestaged media
step, you set the passphrase as part of a prestart command by using the
OSDBitLockerPIN variable.

Use the following procedure to update the Windows 8 task sequence to enable
BitLocker for Windows To Go.

To update the Windows 8 task sequence to enable BitLocker

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Application Management, and then

click Packages.

3. On the Home tab, in the Create group, click Create Package.

4. On the Package page, specify the name and description of the package. For
example, type BitLocker for Windows To Go for the package name and specify
Package to update BitLocker for Windows To Go for the package description.

5. Select This package contains source files, specify the location for the BitLocker
tool for Windows To Go, and then click Next. The BitLocker tool is available on any
Configuration Manager primary site server at the following location:
<ConfigMgrInstallationFolder>\OSD\Tools\WTG\BitLocker\

6. On the Program Type page, select Do not create a program.

7. Click Next and complete the wizard.

8. In the Configuration Manager console, click Software Library.

9. In the Software Library workspace, expand Operating Systems, and then click Task
Sequences.

10. Select the Windows 8 task sequence that you reference in the prestaged media.

11. On the Home tab, in the Task Sequence group, click Edit.

12. Click the Setup Windows and ConfigMgr step, click Add, click General, and then
click Run Command Line. The Run Command Line step is added after the Setup
Windows and ConfigMgr step.

13. On the Properties tab for the Run Command Line step, add the following:
a. Name: Specify a name for the command line, such as Enable BitLocker for
Windows To Go.

b. Command Line: i386\osdbitlocker_wtg.exe /Enable /pwd:< None|AD>

Parameters:

/pwd:<None|AD> - Specify the BitLocker password recovery mode. This

parameter is required you use the /Enable parameter is in the command-
line.

Select AD to configure BitLocker Drive Encryption to back up recovery

information for BitLocker-protected drives to Active Directory Domain
Services (AD DS). Backing up recovery passwords for a BitLocker-protected
drive allows administrative users to recover the drive if it is locked. This
ensures that encrypted data belonging to the enterprise can always be
accessed by authorized users. When you specify None, the user is
responsible for keeping a copy of the recovery password or recovery key. If
the user loses that information or neglects to decrypt the drive before
leaving the organization, administrative users cannot easily access to the
drive.

/wait:<TRUE|FALSE> - Specify whether the task sequence waits for

encryption to complete before it completes.

c. Select Package, and then specify the package that you created at the start of
this procedure.

d. On the Options tab, add the following conditions:

Condition = Task Sequence Variable

Variable = _SMSTSWTG

Condition = Equals

Value = True

７ Note

The Enable BitLocker step, which is likely after the new command-line step, is
not used to enable BitLocker for Windows To Go. However, you can keep this
step in the task sequence to use for Windows 8 deployments that do not use
a Windows To Go drive.
Deploy the Windows To Go Creator package and task
sequence
Windows To Go is a hybrid deployment process. Therefore, you must deploy the
Windows To Go Creator package and the Windows 8 task sequence. Use the following
procedures to complete the deployment process.

To deploy the Windows To Go Creator package

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Application Management, and then

click Packages.

3. Select the Windows To Go package that you created in the Create a Windows To
Go Creator package step.

4. On the Home tab, in the Deployment group, click Deploy.

5. On the General page, specify the following settings:

a. Software: Verify that the Windows To Go package is selected.

b. Collection: Click Browse to select the collection to which you want to deploy
the Windows To Go package.

c. Use default distribution point groups associated to this collection: Select this
option if you want to store the package content on the collections default
distribution point group. If you have not associated the selected collection with
a distribution point group, this option will be unavailable.

6. On the Content page, click Add and then select the distribution points or
distribution point groups to which you want to deploy the content associated with
this package and program.

7. On the Deployment Settings page, select Available for the deployment type, and
then click Next.

8. On the Scheduling, configure when this package and program will be deployed or
made available to client devices.

The options on this page will differ depending on whether the deployment action
is set to Available or Required.

9. On the Scheduling, configure the following settings, and then click Next.
 a. Schedule when this deployment will become available: Specify the date and
time when the package and program is available to run on the destination
computer. When you select UTC, this setting ensures that the package and
program is available for multiple destination computers at the same time rather
than at different times, according to the local time on the destination
computers.

b. Schedule when this deployment will expire: Specify the date and time when
the package and program expires on the destination computer. When you
select UTC, this setting ensures that the task sequence expires on multiple
destination computers at the same time rather than at different times, according
to the local time on the destination computers.

10. On the User Experience page of the Wizard, specify the following information:

Software installation: Allows the software to be installed outside of any

configured maintenance windows.

System restart (if required to complete the installation): Allows a device to

restart outside of configured maintenance windows when required by the
software installation.

Embedded Devices: When you deploy packages and programs to Windows

Embedded devices that are write filter enabled, you can specify to install the
packages and programs on the temporary overlay and commit changes later,
or commit the changes at the installation deadline or during a maintenance
window. When you commit changes at the installation deadline or during a
maintenance window, a restart is required and the changes persist on the
device.

11. On the Distribution Points page, specify the following information:

Deployment options: Specify Download content from distribution point

and run locally.

Allow clients to share content with other clients on the same subnet: Select
this option to reduce load on the network by allowing clients to download
content from other clients on the network that have already downloaded and
cached the content. This option utilizes Windows BranchCache and can be
used on computers running Windows Vista SP2 and later.

All clients to use a fallback source location for content: Specify whether to
allow clients to fall back and use a non-preferred distribution point as the
 source location for content when the content is not available on a preferred
distribution point.

12. Complete the wizard.

To deploy the Windows 8 task sequence

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Operating Systems, and then click Task
Sequences.

3. Select the Windows 8 task sequence that you created in the Prerequisites to
provision Windows To Go step.

4. On the Home tab, in the Deployment group, click Deploy.

5. On the General page, specify the following settings:

a. Task sequence: Verify that the Windows 8 task sequence is selected.

b. Collection: Click Browse to select the collection that includes all devices for
which a user might provision Windows To Go.

） Important

If the prestaged media that you created in the Create prestaged media
section uses the SMSTSPreferredAdvertID variable, you can deploy the task
sequence to the All Systems collection and specify the Windows PE only
(hidden) setting on the Content page. Because the task sequence is
hidden, it will only be available to media.

c. Use default distribution point groups associated to this collection: Select this
option if you want to store the package content on the collections default
distribution point group. If you have not associated the selected collection with
a distribution point group, this option will be unavailable.

6. On the Deployment Settings page, configured the following settings, and then
click Next.

Purpose: Select Available. When you deploy the task sequence to a user, the
user sees the published task sequence in the Application Catalog and can
request it on demand. If you deploy the task sequence to a device, the user
will see the task sequence in Software Center and can install it on demand.
 Make available to the following: Specify whether the task sequence is
available to Configuration Manager clients, media, or PXE.

） Important

Use the Only media and PXE (hidden) setting for automated task
sequence deployments. Select Allow unattended operating system
deployment and set the SMSTSPreferredAdvertID variable as part of the
prestaged media to have the computer automatically boot to the
Windows To Go deployment with no user interaction when it detects a
Windows To Go drive. For more information about these prestaged
media settings, see the Create prestaged media section.

7. On the Scheduling page, configure the following settings, and then click Next.

a. Schedule when this deployment will become available: Specify the date and
time when the task sequence is available to run on the destination computer.
When you select UTC, this setting ensures that the task sequence is available for
multiple destination computers at the same time rather than at different times,
according to the local time on the destination computers.

b. Schedule when this deployment will expire: Specify the date and time when
the task sequence expires on the destination computer. When you select UTC,
this setting ensures that the task sequence expires on multiple destination
computers at the same time rather than at different times, according to the
local time on the destination computers.

8. On the User Experience page, specify the following information:

Show Task Sequence progress: Specify whether the Configuration Manager

client displays the progress of the task sequence.

Software installation: Specify whether the user is allowed to install software

outside a configured maintenance windows after the scheduled time.

System restart (if required to complete the installation): Allows a device to

restart outside of configured maintenance windows when required by the
software installation.

Embedded Devices: When you deploy packages and programs to Windows

Embedded devices that are write filter enabled, you can specify to install the
packages and programs on the temporary overlay and commit changes later,
or commit the changes at the installation deadline or during a maintenance
 window. When you commit changes at the installation deadline or during a
maintenance window, a restart is required and the changes persist on the
device.

Internet-based clients: Specify whether the task sequence is allowed to run

on an Internet-based client. Operations that install software, such as an
operating system, are not supported with this setting. Use this option only for
generic script-based task sequences that perform operations in the standard
operating system.

9. On the Alerts page, specify the alert settings that you want for this task sequence
deployment, and then click Next.

10. On the Distribution Points page, specify the following information, and then click
Next.

Deployment options: Select Download content locally when needed by

running task sequence.

When no local distribution point is available, use a remote distribution

point: Specify whether clients can use distribution points that are on slow and
unreliable networks to download the content that is required by the task
sequence.

Allow clients to use a fallback source location for content:

Prior to version 1610, you can select the Allow fallback source location for
content check box to allow clients outside these boundary groups to fall
back and use the distribution point as a source location for content when
no other distribution points are available.
Beginning with version 1610, you no longer can configure Allow fallback
source location for content. Instead, you configure relationships between
boundary groups that determine when a client can begin to search
additional boundary groups for a valid content source location.

11. Complete the wizard.

User runs the Windows To Go Creator

After you deploy the Windows To Go package and Windows 8 task sequence, the
Windows To Go Creator is available to the user. The user can go to the software catalog,
or Software Center if the Windows To Go Creator was deployed to devices, and run the
Windows To Go Creator program. Once the creator package is downloaded, a flashing
icon is displayed on the task bar. When the user clicks the icon, a dialog box is displayed
for the user to select the Windows To Go drive to provision (unless the /drive command-
line option is used). If the drive does not meet the requirements for Windows To Go or if
the drive does not have enough free disk space to install the image, the creator program
displays an error message. The user can verify the drive and image that will be applied
from the confirmation page. As the creator configures and prestages content to the
Windows To Go drive, it displays a progress dialog box. After the prestaging is complete,
the creator displays a prompt to restart the computer to boot to the Windows To Go
drive.

７ Note

If you did not enable boot redirection as part of the command line for the creator
program in the Create a Windows To Go Creator package section, the user might
be required to manually boot to the Windows To Go drive on every system restart.

Configuration Manager configures and stages the

Windows To Go drive
After the computer restarts to the Windows To Go drive, the drive will boot into
Windows PE and connect to the management point to get the policy to complete the
operating system deployment. Configuration Manager configures and stages the drive.
After Configuration Manager stages the drive, the user can restart the computer to
finalize the provisioning process (such as to join a domain or install apps). This process
is the same for any prestaged media.

User logs in to Windows 8

After Configuration Manager completes the provisioning process and the Windows 8
lock screen is displayed, the user can login to the operating system.
Create a task sequence to install an OS
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use task sequences in Configuration Manager to automatically install an OS image on a

destination computer. You create a task sequence that references a boot image used to
start the destination computer, the OS image that you want to install on the destination
computer, and any other additional content, such as other applications or software
updates, that you want to install. Then you deploy the task sequence to a collection that
contains the destination computer.

Create a task sequence to install an OS

There are multiple scenarios to deploy an OS to computers in your environment. In most
cases, create a task sequence and select Install an existing image package in the Create
Task Sequence Wizard. This option creates a task sequence that installs the OS, migrates
user settings, applies software updates, and installs applications.

Prerequisites
Before you create a task sequence to install an OS, the following requirements must be
in place:

Required
A boot image

An OS image

Required (if used)

Synchronize software updates

Add applications

Process to create a task sequence that installs an OS

1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence.
This action starts the Create Task Sequence Wizard.

3. On the Create a New Task Sequence page, select Install an existing Image
package, and then select Next.

4. On the Task Sequence Information page, specify the following settings:

Task sequence name: Specify a name that identifies the task sequence.

Description: Specify a description of what the task sequence does.

Boot image: Specify the boot image that the task sequence uses to install the
OS on the destination computer. The boot image contains a version of
Windows PE, plus any additional required device drivers. For more
information, see Manage boot images.

） Important

The architecture of the boot image must be compatible with the

hardware architecture of the destination computer.

5. On the Install Windows page, specify the following settings:

Image package: Specify the package that contains the OS image to install.
For more information, see Manage OS images.

Image: If the OS image package has multiple images, specify the index of the
OS image to install.

Partition and format the target computer installing the operating system:
Specify whether you want the task sequence to partition and format the
destination computer before it installs the OS.

Product key: Specify the Windows product key, if necessary. You can specify
encoded volume license keys and standard product keys. If you use a non-
encoded product key, each group of five characters must be separated by a
dash ( - ). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Server licensing mode: Specify that the server license is Per seat, Per server,
or that no license is specified. If the server license is Per server, also specify
the maximum number of server connections.

Specify how to handle the administrator account for the new OS:
 Randomly generate the local administrator account password and
disable the account on all supported platform (recommended): Windows
disables the local administrator account after the task sequence deploys
the OS image.

Enable the account and specify the local administrator password:

Windows uses the same password for the local administrator account on
all computers where the task sequence deploys the OS image.

6. On the Configure Network page, specify the following settings:

Join a workgroup: Add the destination computer to a workgroup.

Join a domain: Add the destination computer to a domain. In Domain,

specify the name of the domain.

） Important

You can browse to locate domains in the local forest, but you must
specify the domain name for a remote forest.

You can also specify an organizational unit (OU) in the Domain OU field. This
setting is optional, and specifies the LDAP X.500-distinguished name of the
OU. If it doesn't already exist, Windows creates the computer account in this
OU.

Account: The user name and password for the account that has permissions
to join the specified domain. For example: domain\user or %variable%.

） Important

If you plan to migrate either the domain settings or the workgroup

settings, enter the appropriate domain credentials.

7. On the Install Configuration Manager page, specify the Configuration Manager

client package to install on the destination computer. You can also include any
installation properties.

8. On the State Migration page, specify the following information:

Capture user settings: The task sequence captures the user state. For more
information about how to capture and restore the user state, see Manage
user state.
 Capture network settings: The task sequence captures network settings from
the destination computer. It captures the membership of the domain or
workgroup, also the network adapter settings.

Capture Microsoft Windows settings: The task sequence captures Windows

settings from the destination computer before it installs the OS image. It
captures the computer name, registered user and organization name, and the
time zone settings.

9. On the Include Updates page, specify whether to install required software updates,
all software updates, or no software updates. If you specify to install software
updates, Configuration Manager installs only those software updates that are
targeted to the collections that the destination computer is a member of.

10. On the Install Applications page, specify the applications to install on the
destination computer. If you specify multiple applications, you can also specify that
the task sequence continues if the installation of a specific application fails.

11. Complete the wizard.

You can now deploy the task sequence to a collection of computers. For more
information, see Deploy a task sequence.

Pre-cache content
Starting in version 1906, you can enable this type of task sequence to pre-cache content.
The pre-cache feature for available deployments of task sequences lets clients download
relevant content before a user installs the task sequence.

For more information, see Configure pre-cache content.

Example task sequence

Use the following table as a guide as you create a task sequence that deploys an OS
using an existing image. The table helps you decide the general sequence for your task
sequence steps and how to organize and structure those task sequence steps into
logical groups. The task sequence that you create may vary from this sample and can
contain more or less task sequence steps and groups.

７ Note

Use the Create Task Sequence Wizard to create this task sequence.
 When you use the Create Task Sequence Wizard to create this new task sequence,
some of the step names are different than what they would be if you manually
added these task sequence steps to an existing task sequence.

Task Description
sequence
group or
step

Capture Create a task sequence group. A task sequence group keeps similar task sequence
File and steps together for better organization and error control.

Settings -
(New task This group contains the steps needed to capture files and settings from the
sequence operating system of a reference computer.
group)

Capture Use this task sequence step to identify the Microsoft Windows settings to capture
Windows from the reference computer. You can capture the computer name, user and
Settings organizational information, and the time zone settings.

Capture Use this task sequence step to capture network settings from the reference
Network computer. You can capture the domain or workgroup membership of the reference
Settings computer and the network adapter setting information.

Capture Create a task sequence group within a task sequence group. This subgroup contains
User Files the steps needed to capture user state data. Similar to the initial group that you
and added, this subgroup keeps similar task sequence steps together for better
Settings - organization and error control.
(New task
sequence
subgroup)

Request Use this task sequence step to request access to a state migration point where the
User State user state data is stored. You can configure this task sequence step to capture or
Storage restore the user state information.

Capture Use this task sequence step to use the User State Migration Tool (USMT) to capture
User Files the user state and settings from the reference computer that will receive the task
and sequence associated with this task step. You can capture the standard options or
Settings configure which options to capture.

Release Use this task sequence step to notify the state migration point that the capture or
User State restore action is complete.
Storage
Task Description
sequence
group or
step

Install Create another task sequence subgroup. This subgroup contains the steps needed
Operating to install and configure the Windows PE environment.
System -
(New task
sequence
group)

Restart in Use this task sequence step to specify the restart options for the destination
Windows computer that receives this task sequence. This step will display a message to the
PE user indicating that the computer will be restarted so that the installation can
continue.

This step uses the read-only _SMSTSInWinPE task sequence variable. If the
associated value equals false the task sequence step continues.

Partition This task sequence step specifies the actions necessary to format the hard drive on
Disk 0 the destination computer. The default disk number is 0.

This step uses the read-only _SMSTSClientCache task sequence variable. This step
runs if the Configuration Manager client cache doesn't exist.

Apply Use this task sequence step to install the operating system image onto the
Operating destination computer. This step first deletes all files on the volume, except for any
System Configuration Manager-specific control files. It then applies all volume images
contained in the WIM file to the corresponding sequential disk volume on the target
computer. You can specify a sysprep answer file and also configure which disk
partition is used for the installation.

Apply Use this task sequence step to configure the Windows settings configuration
Windows information for the destination computer. The windows settings you can apply are
Settings user and organizational information, product or license key information, time zone,
and the local administrator password.

Apply Use this task sequence step to specify the network or workgroup configuration
Network information for the destination computer. You can also specify if the computer uses
Settings a DHCP server or you can statically assign the IP address information.

Apply Use this task sequence step to install drivers as part of the operating system
Device deployment. You can allow Windows Setup to search all existing driver categories by
Drivers selecting Consider drivers from all categories or limit which driver categories
Windows Setup searches by selecting Limit driver matching to only consider
drivers in selected categories.

This step uses the read-only _SMSTSMediaType task sequence variable. This task
sequence step runs only if the value of the variable doesn't equal FullMedia.
Task Description
sequence
group or
step

Apply Use this task sequence step to make all device drivers in a driver package available
Driver for use by Windows setup.
Package

Setup Create another task sequence subgroup. This subgroup contains the steps needed
Operating to set up the installed operating system.
System -
(New task
sequence
group)

Setup Use this task sequence step to install the Configuration Manager client software.
Windows Configuration Manager installs and registers the Configuration Manager client GUID.
and You can assign the necessary installation parameters in the Installation properties
ConfigMgr window.

Install Use this task sequence step to specify how software updates are installed on the
Updates destination computer. The destination computer isn't evaluated for applicable
software updates until this task sequence step runs. At that point, the destination
computer is evaluated for software updates similar to any other Configuration
Manager-managed client.

This step uses the read-only _SMSTSMediaType task sequence variable. This task
sequence step runs only if the value of the variable doesn't equal FullMedia.

Restore Create another task sequence subgroup. This subgroup contains the steps needed
User Files to restore the user files and settings.
and
Settings -
(New task
sequence
subgroup)

Request Use this task sequence step to request access to a state migration point where the
User State user state data is stored.
Storage

Restore Use this task sequence step to run the User State Migration Tool (USMT) to restore
User Files user state and settings to a destination computer.
and
Settings

Release Use this task sequence step to notify the state migration point that the user state
User State data is no longer needed.
Storage
Create a task sequence to upgrade an
OS in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use task sequences in Configuration Manager to automatically upgrade an OS on a

destination computer. This upgrade can be from Windows 7 or later to Windows 10 or
later, or from Windows Server 2012 or later to Windows Server 2016 or later. Create a
task sequence that references an OS upgrade package or feature update and any other
content to install, such as applications or software updates. The task sequence to
upgrade an OS is part of the Upgrade Windows to the latest version scenario.

Starting in version 2103, you can upgrade by using a feature update deployed with the
task sequence. This integration combines the simplicity of Windows servicing with the
flexibility of task sequences. Servicing uses content that you synchronize through the
software update point. This process simplifies the need to manually get, import, and
maintain the Windows image content used with a standard task sequence to upgrade
Windows. The size of the servicing ESD file is generally smaller than the OS upgrade
package and WIM image file.

Prerequisites
Before you create the task sequence, make sure the following requirements are in place:

Required
An OS upgrade package is available in the Configuration Manager console.

Starting in version 2103, you can also use a feature update. In this case, the OS
upgrade package isn't required. For more information, see Requirements for a
feature update in a task sequence.

When upgrading to Windows Server 2016 or later, select the Ignore any
dismissable compatibility messages setting in the Upgrade Operating System task
sequence step. Otherwise the upgrade fails.

Required (if used)

Synchronize software updates in the Configuration Manager console.
 Add applications to the Configuration Manager console.

Requirements for a feature update in a task sequence

Synchronize the software update point to include the Upgrades classification. For
more information, see Configure classifications and products.

For a deployment package that contains the feature update, distribute it to a

distribution point that the client can access. For more information, see Download
software updates.

７ Note

If the feature update isn't already downloaded, you can manage the
deployment package when you deploy the task sequence.

When you deploy the task sequence, you can also select the option of No
deployment package for the feature update. When clients run the task
sequence, they download the feature update from peers or the Microsoft
cloud.

The option to Pre-download content for this task sequence doesn't apply to
feature updates.

Review the configuration of the following client settings in the Software Updates
group, which are applicable to this scenario:

Specify thread priority for feature updates: In most instances, set this value to
Normal.

Enable Dynamic Update for feature updates: Use this setting to use dynamic
update to install language packs, features on demand, drivers, and cumulative
updates during Windows Setup. Clients download these other updates from the
internet.

Allow clients to download delta content when available: If you use Windows
Delivery Optimization, the content that the client downloads may be much
smaller.

Known issues with feature updates in a task sequence

Windows 11 Feature Upgrades are not visible to be selected from the Wizard. This
happens if the License Terms of the desired Feature Upgrade have not been accepted
yet. To do so navigate to the Feature Upgrade and select "Review Licence" from the
context menu. Review and Accept the licensing terms to make this Upgrade
"deployable".

Create a new task sequence

Applies to version 2103

If you need to create a new task sequence, you need an OS upgrade package to
complete the Create Task Sequence Wizard.

７ Note

To create a task sequence to upgrade Windows, you typically use the steps in the
Process section. The task sequence includes the Upgrade OS step, as well as
additional recommended steps and groups to handle the end-to-end upgrade
process.

You can create a custom task sequence and add the Upgrade OS step. If you
choose this method, also add the Restart Computer step after the Upgrade OS
step. Make sure to use the setting for The currently installed default operating
system to restart the computer into the installed OS and not Windows PE.

If you have an existing in-place upgrade task sequence, edit or copy it. Then change the
Upgrade OS task sequence step to install the feature update.

Starting in version 2107, you can create a new task sequence with just a feature update.

Export, import, and migrate task sequences

If you export a task sequence with the Upgrade OS step that uses a feature update, the
exported task sequence doesn't include the feature update content. When you import
the task sequence, readd the Upgrade OS step with the feature update.

This behavior is similar if you migrate a task sequence with a feature update between
hierarchies.

Create prestaged content file

You can't currently use the action to Create prestaged content file for a task sequence
with a feature update.

Create standalone media

Standalone media isn't supported for a task sequence with a feature update. When you
try to create standalone media, it fails with entries similar to the following in
CreateTSMedia.log:

log

Unable to retrieve policy for Task Sequence XYZ004BD from site XYZ.

Failed to initialize.... Verify the user is authorized to create Task

Sequence media and has local admin permissions.

MediaGenerator::~MediaGenerator()
Failed to create media generator (0x80070490)

CreateTsMedia failed with error 0x80070490, details=''

Media temp directory 'C:\Users\jqpublic\AppData\Local\Temp\_tsmedia_1053544'

is fully cleared

Media creation process that was started from Admin Console completed.

CreateMedia.exe finished with error code 80070490

Process
To upgrade the OS on clients, create a task sequence and select Upgrade an operating
system from upgrade package in the Create Task Sequence Wizard. The wizard adds the
task sequence steps to upgrade the OS, apply software updates, and install applications.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select Task Sequences.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence.

3. On the Create a New Task Sequence page of the Create Task Sequence Wizard,
select Upgrade an operating system from an upgrade package, and then select
Next.

4. On the Task Sequence Information page, specify the following settings:

Task sequence name: Specify a name that identifies the task sequence.

Description: Optionally specify a description.

5. On the Upgrade the Windows Operating System page, specify the following
settings:
 Upgrade package: Specify the upgrade package that contains the OS
upgrade source files. Verify that you've selected the correct upgrade package
by looking at the information in the Properties pane. For more information,
see Manage OS upgrade packages.

Edition index: If there are multiple OS edition indexes available in the

package, select the edition index you want. By default, the wizard selects the
first index.

Product key: Specify the Windows product key for the OS to install. Specify
encoded volume license keys or standard product keys. If you use a standard
product key, separate each group of five characters by a dash ( - ). For
example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX . When the upgrade is for a volume
license edition, the product key may not be required.

７ Note

This product key can be a multiple activation key (MAK), or a generic

volume licensing key (GVLK). A GVLK is also referred to as a key
management service (KMS) client setup key. For more information, see
Plan for volume activation. For a list of KMS client setup keys, see KMS
client setup keys in the Windows Server activation guide.

Ignore any dismissable compatibility messages: Select this setting if you're

upgrading to Windows Server 2016 or later. If you don't select this setting,
the task sequence fails to complete because Windows Setup is waiting for the
user to select Confirm on a Windows app compatibility dialog.

6. On the Include Updates page, specify whether to install required, all, or no

software updates. Then select Next. If you specify to install software updates,
Configuration Manager installs only those updates targeted to the collections of
which the destination computer is a member.

7. On the Install Applications page, specify the applications to install on the

destination computer, and then select Next. If you select more than one
application, also specify whether the task sequence should continue if the
installation of a specific application fails.

8. Complete the wizard.

） Important
 When the task sequence runs on a device, the Configuration Manager client creates
several scripts to control the task sequence behavior in various scenarios. When the
task sequence completes, the client doesn't remove these scripts until the
computer restarts. These script files don't contain sensitive information.

Customize
The default task sequence template for in-place upgrade includes other groups with
recommended actions to add before and after the upgrade process. These actions are
common among many customers who are successfully upgrading devices to Windows
10 or later. For more information, see In-place upgrade recommendations.

Next steps
Deploy the task sequence, Deploy the task sequence over the internet, or Create a
phased deployment.

The pre-cache feature for available deployments of task sequences lets clients download
relevant OS upgrade package content before a user installs the task sequence. For more
information, see Configure pre-cache content.
Task sequence steps to manage BIOS to
UEFI conversion
Article • 10/04/2022

Windows includes many security features that require UEFI-enabled devices. You might
have newer Windows devices that support UEFI, but are using legacy BIOS. Previously,
converting a device to UEFI required you to go to each device, repartition the hard disk,
and reconfigure the firmware.

With Configuration Manager you can automate the following actions:

Prepare a hard drive for BIOS to UEFI conversion

Convert from BIOS to UEFI as part of the in-place upgrade process
Collect UEFI information as part of hardware inventory

Hardware inventory collects UEFI information

The hardware inventory class (SMS_Firmware) and property (UEFI) are available to help
you determine whether a computer starts in UEFI mode. When a computer is started in
UEFI mode, the UEFI property is set to TRUE. Hardware inventory enables this class by
default. For more information about hardware inventory, see How to configure hardware
inventory.

Create a custom task sequence to prepare the

hard drive
You can customize an OS deployment task sequence with the TSUEFIDrive variable. The
Restart Computer step prepares a FAT32 partition on the hard drive for transition to
UEFI. The following procedure provides an example of how you can create task
sequence steps to do this action.

Prepare the FAT32 partition for the conversion to UEFI

In an existing task sequence to install an OS, add a new group with steps to do the BIOS
to UEFI conversion.

1. Create a new task sequence group after the steps to capture files and settings, and
before the steps to install the OS. For example, create a group after the Capture
Files and Settings group named BIOS-to-UEFI.
2. On the Options tab of the new group, add a new task sequence variable as a
condition. Set _SMSTSBootUEFI not equal true. With this condition, the task
sequence only runs these steps on BIOS devices.

3. Under the new group, add the Restart Computer task sequence step. In Specify
what to run after restart, select The boot image assigned to this task sequence is
selected. This action restarts the computer in Windows PE.

4. On the Options tab, add a task sequence variable as a condition. Set

_SMSTSInWinPE equals false. With this condition, the task sequence doesn't run
this step if the computer is already in Windows PE.
5. Add a step to start an OEM tool to convert the firmware from BIOS to UEFI. This
step is typically Run Command Line, with the command to run the OEM tool.

6. Add the Format and Partition Disk task sequence step. In this step, configure the
following options:

a. Create the FAT32 partition to convert to UEFI before the OS is installed. For Disk
type, choose GPT.
b. Go to the properties for the FAT32 partition. In the Variable field, enter
TSUEFIDrive . When the task sequence detects this variable, it prepares the

partition for the UEFI transition before it restarts the computer.

 c. Create an NTFS partition that the task sequence uses to save its state and to
store log files.

7. Add another Restart Computer task sequence step. In Specify what to run after
restart, select The boot image assigned to this task sequence is selected to start
the computer in Windows PE.

 Tip

By default, the EFI partition size is 500 MB. In some environments, the boot
image is too large to store on this partition. To work around this issue,
increase the size of the EFI partition. For example, set it to 1 GB.

Convert from BIOS to UEFI during in-place

upgrade
Windows includes a simple conversion tool, MBR2GPT. It automates the process to
repartition the hard disk for UEFI-enabled hardware. You can integrate the conversion
tool into the in-place upgrade process. Combine this tool with your upgrade task
sequence and the OEM tool that converts the firmware from BIOS to UEFI.

Requirements
A supported version of Windows 10 or later
Computers that support UEFI
OEM tool that converts the computer's firmware from BIOS to UEFI

Process to convert from BIOS to UEFI during an in-place

upgrade task sequence
1. Create a task sequence to upgrade an OS

2. Edit the task sequence. In the Post-Processing group, make the following changes:
a. Add the Run Command Line step. Specify the command line for the MBR2GPT
tool. When run in the full OS, configure it to covert the disk from MBR to GPT
without modifying or deleting data. In Command line, enter the following
command: MBR2GPT.exe /convert /disk:0 /AllowFullOS

 Tip

You can also choose to run the MBR2GPT.EXE tool when in Windows PE
instead of in the full OS. Add a step to restart the computer to Windows PE
before the step to run the MBR2GPT.EXE tool. Then remove the /AllowFullOS
option from the command line.

For more information about the tool and available options, see MBR2GPT.EXE.

a. Add a step to run the OEM tool that converts the firmware from BIOS to UEFI.
This step is typically Run Command Line, with a command line to run the OEM
tool.

b. Add the Restart Computer step, and select The currently installed default
operating system.

3. Deploy the task sequence.

Create a task sequence to capture an OS
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you use a task sequence to deploy an OS to a computer in Configuration

Manager, the computer installs the OS image that you specify in the task sequence. You
can customize the OS image so it includes specific applications and software updates.
First use a build and capture task sequence to build a reference computer. Then capture
the OS image from that reference computer. If you already have a reference computer
available to capture, create a custom task sequence to capture the OS.

７ Note

To avoid potential hardware driver issues when deploying custom reference images
to different model devices, it is recommended to create custom reference images
using virtual machines (VMs). This minimizes the amount of potentially conflicting
drivers that are included as part of the custom reference image. Additionally it is
recommended not to add any drivers to the custom reference image via either the
Auto Apply Drivers task or the Apply Driver Package task.

About the build and capture task sequence

The build and capture task sequence:

Partitions and formats the reference computer

Installs the OS
Installs the Configuration Manager client
Installs applications
Applies software updates
Captures the OS from the reference computer

The packages associated with the task sequence, such as applications, must be available
on distribution points before you deploy the build and capture task sequence.

Requirements
Before you create a task sequence to install an OS, make sure the following components
are in place:
Required
Boot image

OS image

Required (if used)

Driver packages that contain the necessary Windows drivers to support hardware
on the reference computer. For more information about the task sequence steps to
manage drivers, see Use task sequences to install device drivers.

Software updates

Applications

Create a build and capture task sequence

Use the following procedure to use a task sequence to build a reference computer and
capture the OS.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence
to start the Create Task Sequence Wizard.

3. On the Create a New Task Sequence page, select Build and capture a reference
operating system image.

4. On the Task Sequence Information page, specify the following settings:

Task sequence name: Specify a name that identifies the task sequence.

Description: Specify an optional description for the task sequence. For

example, describe the OS that the task sequence creates.

Boot image: Specify the boot image to use with this task sequence.

） Important

The architecture of the boot image must be compatible with the

hardware architecture of the destination computer.
5. On the Install Windows page, specify the following settings:

Image package: Specify the OS image package, which contains the required
files to install the OS.

Image index: Specify the index of the OS to install in the image. If the OS
image contains multiple versions, select the version that you want to install.

Product key: If necessary, specify the product key for the Windows OS to
install. You can specify encoded volume license keys and standard product
keys. If you use a non-encoded product key, separate each group of five
characters with a dash ( - ). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Server licensing mode: If necessary, specify that the server license is Per seat,
Per server, or that no license is specified. If the server license is Per server,
also specify the maximum number of server connections.

Specify how to configure the administrator account for the deployed OS:

Randomly generate the local administrator password and disable the

account on all supported platforms: Create a random password for the
local administrator account. Disable the account when the Windows is set
up.

Enable the account and specify the local administrator password: Use the
same password for the local administrator account on all computers where
you deploy this OS.

6. On the Configure Network page, specify the following settings:

Join a workgroup: Specify whether to add the destination computer to a

workgroup when the OS is deployed.

Join a domain: Specify whether to add the destination computer to a domain

when the OS is deployed. In Domain, specify the name of the domain.

） Important

You can browse to locate domains in the local forest. Specify the domain
name for a remote forest.

You can also specify an organizational unit (OU). This setting is optional, and
specifies the LDAP X.500 distinguished name of the OU in which to create the
computer account, if it doesn't already exist.
 Account: Specify the user name and password for the account that has
permissions to join the specified domain. For example: domain\user or
%variable% .

） Important

If you plan to migrate either the domain settings or the workgroup

settings during the deployment, make sure you enter the appropriate
domain credentials here.

7. On the Install Configuration Manager page, specify the Configuration Manager

client package. This package contains the source files to install the Configuration
Manager client. Also specify any additional properties needed to install the client.

For more information, see About client installation properties.

8. On the Include Updates page, specify whether to install required software updates,
all software updates, or no software updates. If you specify to install software
updates, Configuration Manager installs only those software updates that are
targeted to the collections that the destination computer is a member of.

9. On the Install Applications page, specify the applications to install on the

destination computer. If you specify multiple applications, you can also specify that
the task sequence continues if the installation of a specific application fails.

７ Note

The System Preparation page appears next in the wizard, but it's no longer
used. Select Next to continue.

10. On the Images Properties page, specify the following settings for the OS image:

Created by: Specify the name of the user to note as the creator of the OS
image.

Version: Specify your version number that's associated with the OS image.
This attribute doesn't need to be the OS version, as the site stores that value
separately.

Description: Specify your description of the OS image.

11. On the Capture Image page, specify the following settings:

 Path: Specify a shared network folder where Configuration Manager should
store the output image file (.wim). This file contains the OS image that's
based on the settings you specify in this wizard. If you specify a folder that
contains an existing .WIM file, it's overwritten.

Account: Specify the Windows account that has permissions to the network
share where the image is stored.

12. Complete the wizard.

To add additional steps to the task sequence, select it, and choose Edit. For more
information about how to edit a task sequence, see Use the task sequence editor.

Deploy the task sequence to a reference computer in one of the following ways:

If the reference computer is already a Configuration Manager client, deploy the

build and capture task sequence to a collection that contains the reference
computer. For more information, see Deploy a task sequence.

If the reference computer isn't a Configuration Manager client, or if you want to

manually run the task sequence on the reference computer, use the Create Task
Sequence Media Wizard to create bootable media. For more information, see
Create bootable media.

After you capture the image, you can deploy it to other computers. For more
information about how to deploy the captured OS image, see Create a task sequence to
install an OS.

Capture from an existing reference computer

When you already have a reference computer ready to capture, create a task sequence
that only captures the OS from the reference computer. Use the Capture Operating
System Image task sequence step to capture one or more images from a reference
computer and store them in an image file (.wim) on the specified network share. Start
the reference computer in Windows PE with a boot image. The task sequence captures
each hard drive on the reference computer as a separate image within the .wim file. If
the referenced computer has multiple drives, the resulting .wim file contains a separate
image for each volume. It only captures volumes that are formatted as NTFS or FAT32. It
skips volumes with other formats or USB volumes.

Use the following procedure to capture an OS image from an existing reference

computer:
 1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence.
This action starts the Create Task Sequence Wizard.

3. On the Create a New Task Sequence page, select Create a new custom task
sequence.

4. On the Task Sequence Information page, specify a name for the task sequence.
Optionally add a description for the task sequence.

5. Specify a boot image for the task sequence. Configuration Manager uses this boot
image to start the reference computer with Windows PE. For more information, see
Manage boot images.

6. Complete the wizard.

7. In the Task Sequences node, select the new task sequence. Then on the Home tab
of the ribbon, in the Task Sequence group, select Edit. This action opens the task
sequence editor.

8. If the Configuration Manager client is installed on the reference computer:

Go to the Add menu, select Images, and then choose Prepare ConfigMgr Client for
Capture. This step generalizes the Configuration Manager client on the reference
computer.

７ Note

The task sequence doesn't support uninstalling the Configuration Manager

client.

9. Go to the Add menu, select Images, and choose Prepare Windows for Capture.
This step runs Sysprep, and then restarts the computer to the Windows PE boot
image specified for the task sequence. For this action to complete successfully,
don't join the reference computer to a domain.

10. Go to the Add menu, select Images, and choose Capture Operating System Image.
This step only runs from Windows PE to capture the hard drives on the reference
computer. Configure the following settings:

Name and Description: Optionally, you can change the name of the task
sequence step and provide a description.
 Destination: Specify a shared network folder where the output .WIM file is
stored. This file contains the OS image based on the settings that you specify
by using this wizard. If you specify a folder that contains an existing .WIM file,
it's overwritten.

Description, Version, and Created by: Optionally, provide details about the
image to capture.

Capture operating system image account: Specify the Windows account that
has permissions to the network share you specified. Select Set to specify the
name of that Windows account.

Select OK to save your changes and close the task sequence editor.

Deploy the task sequence to a reference computer in one of the following ways:

If the reference computer is already a Configuration Manager client, deploy the

capture task sequence to a collection that contains the reference computer. For
more information, see Deploy a task sequence.

If the reference computer isn't a Configuration Manager client, or if you want to

manually run the task sequence on the reference computer, use the Create Task
Sequence Media Wizard to create capture media. For more information, see
Create capture media.

After you capture the image, you can deploy it to other computers. For more
information about how to deploy the captured OS image, see Create a task sequence to
install an OS.

Example task sequence

Use the following table as a guide as you create a task sequence that builds and
captures an OS image. The table helps you decide the general sequence for your task
sequence steps, and how to organize and structure those steps into logical groups. The
task sequence that you create may vary from this sample. It can contain more or less
steps and groups.

７ Note

Always use the Create Task Sequence Wizard to create this type of task sequence.

The wizard adds steps to the task sequence with slightly different names that what
you'd see if you manually add the same steps.
Group: Build the Reference Machine
This group contains the actions necessary to build a reference computer.

Task Description
sequence
step

Restart in Restart the destination computer to the boot image assigned to the task
Windows PE sequence. This step displays a message to the user that the computer will be
restarted so that the installation can continue.

This step uses the read-only _SMSTSInWinPE task sequence variable. If the
associated value equals false , then the task sequence step continues.

Partition Disk Partition and format the hard drive on the destination computer in BIOS mode.
0 - BIOS The default disk number is 0 .

This step uses several read-only task sequence variables. For example, it only
runs if the Configuration Manager client cache doesn't exist, and doesn't run if
the computer is configured for UEFI.

Partition Disk Partition and format the hard drive on the destination computer in UEFI mode.
0 - UEFI The default disk number is 0 .

This step uses several read-only task sequence variables. For example, it only
runs if the Configuration Manager client cache doesn't exist, and only runs if the
computer is configured for UEFI.

Apply Install the specified OS image on the destination computer. This step first deletes
Operating all files on the volume, other than Configuration Manager-specific control files. It
System then applies all volume images contained in the WIM file to the corresponding
sequential disk volume on the target computer.

Apply Configure the Windows settings for the destination computer.

Windows
Settings

Apply Specify the network or workgroup configuration information for the destination
Network computer.
Settings

Apply Device Match and install drivers as part of this OS deployment. For more information,
Drivers see Auto Apply Drivers.

This step uses the read-only _SMSTSMediaType task sequence variable. If the
associated value doesn't equal FullMedia , this step doesn't run.
 Task Description
sequence
step

Setup Install the Configuration Manager client software. Configuration Manager installs
Windows and and registers the Configuration Manager client GUID. Include any necessary
Configuration Installation properties.
Manager

Install Specify how software updates are installed on the destination computer. The
Updates destination computer isn't evaluated for applicable software updates until this
step runs. At that point, the evaluation is similar to any other Configuration
Manager-managed client. For more information, see Install Software Updates.

This step uses the read-only _SMSTSMediaType task sequence variable. If the
associated value doesn't equal FullMedia , this step doesn't run.

Install Specifies any applications to install on the reference computer.

Applications

Group: Capture the Reference Machine

This group contains the necessary steps to prepare and capture a reference computer.

Task sequence step Description

Prepare Generalize the Configuration Manager client on the reference computer.

Configuration
Manager Client

Prepare OS Runs Sysprep to generalize Windows. It then restarts the computer into
the Windows PE boot image specified for the task sequence.

Capture the Captures the image to the specified network share and .WIM file.
Reference Machine

） Important

After you capture an image from a reference computer, don't capture another OS
image from the reference computer. Registry entries are created during the initial
configuration. Create a new reference computer each time that you capture the OS
image. If you plan to use the same reference computer to create future OS images,
first uninstall and reinstall the Configuration Manager client.
Next steps
Methods to deploy enterprise operating systems
Create a task sequence to capture and
restore user state in Configuration
Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Use Configuration Manager task sequences to capture and restore the user state data in
OS deployment scenarios. In these scenarios, you want to retain the user state of the
current OS. Depending on the type of task sequence you create, the capture and restore
steps might be automatically added as part of the task sequence. In other scenarios, you
might need to manually add the capture and restore steps to the task sequence. This
article provides the steps that you must add to an existing task sequence to capture and
restore user state data.

Task sequence steps

To capture and restore the user state, add the following steps to the task sequence:

Request State Store: If you store the user state on the state migration point, you
need this step.

Capture User State: This step captures the user state data. It then stores the data
on either the state migration point or the local disk using hardlinks.

Restore User State: This step restores the user state data on the destination
computer. It can retrieve the data from a state migration point or if hardlinked on
the local disk.

Release State Store: If you store the user state on the state migration point, you
need this step. This step removes the data from the state migration point.

Use the following procedures to add the task sequence steps needed to capture and
restore the user state. For more information about creating a task sequence, see
Manage task sequences to automate tasks.

Capture the user state

To add task sequence steps to capture the user state, use the following steps:
 1. In the Task Sequence list, select a task sequence, and then click Edit.

2. If you're using a state migration point to store the user state, add the Request
State Store step to the task sequence. In the Task Sequence Editor, click Add. Point
to User State, and then click Request State Store. Configure the properties and
options for this step, and then click Apply. For more information about the
available settings, see Request State Store.

3. Add the Capture User State step to the task sequence. In the Task Sequence
Editor, click Add. Point to User State, and then click Capture User State. Configure
the properties and options for this step, and then click Apply. For more
information about the available settings, see Capture User State.

） Important

When you add this step to your task sequence, also set the
OSDStateStorePath task sequence variable to specify where to store the user
state data. If you store the user state locally, don't specify a root folder as that
can cause the task sequence to fail. When you store the user data locally
always use a folder or subfolder. For more information about this variable, see
Task sequence variables.

4. If you're using a state migration point, add the Release State Store step to the task
sequence. In the Task Sequence Editor, click Add. Point to User State, and then
click Release State Store. Configure the properties and options for this step, and
then click Apply. For more information about the available settings, see Release
State Store.

） Important

The task sequence action that runs before the Release State Store step must
be successful before the Release State Store step starts.

Deploy this task sequence to capture the user state on a destination computer. For
information about how to deploy task sequences, see Deploy a task sequence.

Restore the user state

To add task sequence steps to restore the user state, use the following steps:

1. In the Task Sequence list, select a task sequence, and then click Edit.
 2. Add the Restore User State step to the task sequence. In the Task Sequence
Editor, click Add. Point to User State, and then click Restore User State. This step
establishes a connection to the state migration point if necessary. Configure the
properties and options for this step, and then click Apply. For more information
about the available settings, see Restore User State.

） Important

When you use the Capture User State step with the option to Capture all user
profiles with standard options, you must select the Restore local computer
user profiles setting in the Restore User State step. Otherwise the task
sequence will fail.

７ Note

If you store the user state by using local hardlinks and the restore isn't
successful, you can manually delete the hardlinks that were created to store
the data. The task sequence can run the USMTUtils tool to automate this
action with a Run Command Line step. If you use USMTUtils to delete the
hardlink, add a Restart Computer step after you run USMTUtils.

3. If you're using a state migration point to store the user state, add the Release
State Store step to the task sequence. In the Task Sequence Editor, click Add. Point
to User State, and then click Release State Store. Configure the properties and
options for this step, and then click Apply. For more information about the
available settings, see Release State Store.

） Important

The task sequence action that runs before the Release State Store step must
be successful before the Release State Store step starts.

Deploy this task sequence to restore the user state on a destination computer. For
information about deploying task sequences, see Deploy a task sequence.

Next steps
Monitor the task sequence deployment
Create a custom task sequence with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When you create a custom task sequence in Configuration Manager, it contains no task
sequence steps. After you create the task sequence, edit it, and add the task sequence
steps you need.

Create a custom task sequence

Use the following procedure to create a custom task sequence:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence.
This action starts the Create Task Sequence Wizard.

3. On the Create a New Task Sequence page, select Create a new custom task
sequence.

4. On the Task Sequence Information page, specify:

A name for the task sequence

A description of the task sequence
An optional boot image for the task sequence to use

After you complete the Create Task Sequence Wizard, Configuration Manager adds the
custom task sequence to the Task Sequences node. You can now edit this task sequence
to add task sequence steps to it.

See also
For a list of available task sequence steps, see Task sequence steps.

For more information about how to edit a task sequence, see Use the task sequence
editor.
Most often you'll use task sequences to automate tasks for OS deployment, but you can
create a custom task sequence to automate different kinds of tasks. For more
information, see Create a task sequence for non-OS deployments.

Starting in version 2002, install complex applications using task sequences via the
application model. Add a deployment type to an app that's a task sequence, either to
install or uninstall the app. For more information, see Create Windows applications.

Next steps
Deploy the task sequence
Manage task sequences
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you create a task sequence, there are additional settings that you can configure.
Task sequences are located in the Configuration Manager console. In the Software
Library workspace, expand Operating Systems, and select Task Sequences. The Task
Sequences node, including subfolders that you create, is replicated throughout the
Configuration Manager hierarchy. For planning information, see Planning considerations
for automating tasks.

Edit
Modify a task sequence by adding or removing steps, adding or removing groups, or by
changing the order of the steps. For more information, see Use the task sequence
editor.

Properties
The task sequence editor configures the steps of the task sequence. There are additional
settings available on the Properties of the task sequence, which control other aspects of
how the task sequence runs and behaves.

In the Configuration Manager console, go to the Software Library workspace, expand

Operating Systems, and select Task Sequences. Select the task sequence to configure,
and then in the ribbon select Properties.

The following sections provide more details about each tab of the task sequence
properties.

General tab: Software Center properties

On the General tab, the following settings for Software Center are available:

Restart required
Lets the user know whether a restart is required during the installation.
Download size (MB)
Specifies how many megabytes are displayed in Software Center for the task sequence.

Estimated run time (minutes)

Specifies the estimated run time in minutes that's displayed in Software Center for the
task sequence.

Advanced tab
On the Advanced tab, the following settings are available:

Run another program first

Select this option to run a program in another package before the task sequence runs.
By default, this option isn't enabled. You don't need to separately deploy the program
that you specify to run first.

） Important

This setting applies only to task sequences that run in the full OS. If you start the
task sequence by using PXE or boot media, Configuration Manager ignores this
setting.

It also doesn't apply to task sequences that run on clients that communicate via a
cloud management gateway (CMG). This option uses the UNC network path of the
package, which isn't accessible via CMG.

Package: Browse for the package that contains the program to run before this task
sequence.

Program: Select the program to run before this task sequence.

７ Note

If the selected program fails to run on a client, the task sequence doesn't run.
If the selected program runs successfully, it doesn't run again, even if the task
sequence is rerun on the same client.
Suppress task sequence notifications
Select this option to hide the New Software is available toast notification. You still see
the New software icon from Software Center in the notification area. By default, this
option is disabled.

Disable this task sequence on computers where it is deployed

If you select this option, Configuration Manager temporarily disables all deployments
that contain this task sequence. It also removes the task sequence from the list of
deployments available to run. The task sequence doesn't run until you enable it. By
default, this option is disabled.

Maximum allowed run time

Specifies the maximum time in minutes that you expect the task sequence to run on the
destination computer. Use a whole number equal to or greater than zero. By default, this
value is 120 minutes.

） Important

If you're using maintenance windows for the collection to which you deploy this
task sequence, a conflict might occur if the Maximum allowed run time is longer
than the scheduled maintenance window. If you set the maximum run time to 0,
the task sequence starts during the maintenance window. It continues to run until it
completes or fails after the maintenance window is closed. As a result, task
sequences with a maximum run time set to 0 might run past the end of their
maintenance windows. If you set the maximum run time to a specific period (non-
zero) that exceeds the length of any available maintenance window, then that task
sequence doesn't run. For more information, see How to use maintenance
windows.

If you set the value as 0, Configuration Manager evaluates the maximum allowed run
time as 12 hours (720 minutes) for monitoring progress. However, the task sequence
starts as long as the countdown duration doesn't exceed the maintenance window
value.

７ Note

When it reaches the maximum run time, if you don't allow users to interact with a
required deployment, then Configuration Manager stops the task sequence. If the
 task sequence itself isn't stopped, Configuration Manager stops monitoring the
task sequence after it reaches the maximum allowed run time.

Use a boot image

Use the selected boot image when the task sequence is run. Select Browse to select a
different boot image. Clear this option to disable the use of the selected boot image
when the task sequence runs.

This task sequence can run on any platform

If you select this option, Configuration Manager doesn't check the platform type of the
destination computer when the task sequence runs. This option is selected by default.

This task sequence can only run on the specified client platforms

This option specifies the processors, OS versions, and service packs on which this task
sequence can run. When you select this option, select at least one platform from the list.
By default, no platforms are selected. Configuration Manager uses this information
when is evaluates which destination computers in a collection receive the deployed task
sequence.

７ Note

When you run a task sequence from boot media or PXE, Configuration Manager
ignores this option. The task sequence runs as though the option This program can
run on any platform is selected.

User Notification tab for high-impact settings

Configure a task sequence as high-impact and customize the messages that users
receive when they run the task sequence. For more information, see High-impact task
sequence settings.

Any task sequence that meets certain conditions is automatically defined as high-
impact. For more general information, see Manage high-risk deployments.

More Options tab

 ７ Note

In version 2111 and earlier, this tab is named Performance.

To improve the overall speed of the task sequence, run it with the high-performance
power plan. It configures Windows to use its built-in high-performance power plan,
which delivers maximum performance at the expense of higher power consumption. For
more information, see Task sequence performance.

Custom icons for task sequences

Starting in version 2203, add custom icons for task sequences. These icons appear in
Software Center when you deploy the task sequence. Instead of a default icon, a custom
icon can improve the user experience to better identify the software.

On the More Options tab of task sequence properties, in the section for the icon, select
Browse. Select an icon from the default shell library, or browse to another file in a local
or network path.

It supports the following file types:

Programs ( .exe )
Libraries ( .dll )
Icons ( .ico )
Images ( .png , .jpeg , .jpg )
The file doesn't need to be on clients that you target with the deployment.
Configuration Manager includes the image with the deployment policy.
The maximum file size for an image is 256 KB.
Icons can have pixel dimensions of up to 512 x 512.

When clients receive the deployment policy, they'll display the icon in Software Center.

７ Note

To take full advantage of new Configuration Manager features, after you update the
site, also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

Additional actions
You can manage task sequences by using additional actions when you select a task
sequence.

Edit action
For more information, see Use the task sequence editor.

Enable
Enables the task sequence so that clients can run it. You don't need to redeploy a task
sequence after it's enabled.

Disable
Disables the task sequence so that it can't run on computers. You can deploy a disabled
task sequence, but computers don't run the task sequence until you enable it.

Export
For more information, see Export and import task sequences.

Copy
Makes a copy of the selected task sequence. This action is useful to create a new task
sequence that's based on an existing task sequence.

When you make a copy of a task sequence in a folder, the copy is listed in that folder
until you refresh the task sequence node. After the refresh, the copy appears in the root
folder.

Refresh
Refreshes the details for the selected task sequence.

Delete
Deletes the selected task sequence.

Create Phased Deployment

For more information, see Create phased deployments.

Deploy
For more information, see Deploy a task sequence.

Distribute Content
Starts the Distribute Content Wizard to send the referenced content to distribution
points.

Create Prestaged Content File

Starts the Create Prestaged Content File Wizard to prestage the task sequence content.
For information about how to create a prestaged content file, see Prestage content.

Move
Moves the selected task sequence to another folder in the Task Sequences node.

Set Security Scopes

Select the security scopes for the selected task sequence. For more information, see
Security scopes.

Properties action
For more information, see Properties.

View
The View action on task sequences is the default. This action lets you see the steps of
the task sequence without locking it for editing. For more information, see Use the task
sequence editor.

Next steps
Distribute referenced content

Reduce the size of task sequence policy

Deploy a task sequence

How to use task sequence variables

High-impact task sequence settings
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configure a task sequence as high-impact and customize the messages that users
receive when they run the task sequence. Any task sequence that meets certain
conditions is automatically defined as high-impact. For more information, see Manage
high-risk deployments.

２ Warning

If you use PXE deployments, and configure device hardware with the network
adapter as the first boot device, these devices can automatically start an OS
deployment task sequence without user interaction. Deployment verification
doesn't manage this configuration. While this configuration may simplify the
process and reduce user interaction, it puts the device at greater risk for accidental
reimage.

Set a task sequence as high-impact

Use the following procedure to set a task sequence as high-impact.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and select Task Sequences.

2. Select the task sequence to configure, and select Properties.

3. On the User Notification tab, select This is a high-impact task sequence.

Create a custom notification

７ Note

The client only displays high-impact notifications for required OS deployment task
sequences. It doesn't display them for non-OS deployment or stand-alone task
sequences.
Use the following procedure to create a custom notification for high-impact
deployments.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and select Task Sequences.

2. Select the task sequence to configure, and select Properties.

3. On the User Notification tab, select Use custom text.

７ Note

You can only set user notification text when you select the option, This is a
high-impact task sequence.

4. Configure the following settings:

７ Note

Each text box has a maximum limit of 255 characters.

User notification headline text: Specifies the blue text that displays on the
Software Center user notification. For example, in the default user
notification, this section contains "Confirm you want to upgrade the
operating system on this computer."

User notification message text: There are three text boxes that provide the
body of the custom notification. All text boxes require that you add text.

First text box: Specifies the main body of text, typically containing
instructions for the user. For example, in the default user notification, this
section contains "Upgrading the operating system takes time and your
computer might restart several times."

Second text box: Specifies the bold text under the main body of text. For
example, in the default user notification, this section contains "This in-
place upgrade installs the new operating system and automatically
migrates your apps, data, and settings."

Third text box: Specifies the last line of text under the bold text. For
example, in the default user notification, this section contains "Click Install
to begin. Otherwise, click Cancel."
Example
You configure the following custom notification in task sequence properties:

The following notification message displays when the end user opens the installation
from Software Center:
Next steps
Task sequence performance
Task sequence performance
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

To improve the overall speed of the task sequence, run it with the high-performance
power plan. It configures Windows to use its built-in high-performance power plan,
which delivers maximum performance at the expense of higher power consumption.
This option is on by default for new task sequences.

When the task sequence starts, in most scenarios it records the currently enabled power
plan. It then switches the active power plan to the Windows default High Performance
plan. If the task sequence restarts the computer, it repeats this process. At the end of
the task sequence, it resets the power plan to the stored value. This functionality works
in both Windows and Windows PE, but has no effect on virtual machines.

If the task sequence starts in Windows PE, the task sequence doesn't record the
currently enabled power plan for later reuse.

An OS deployment task sequence that reimages the computer (wipe and load)
doesn't preserve the power plan setting of the old OS. At the end of the task
sequence, it restores the default Balanced power plan.

You can use this option on devices with modern standby. It also supports other devices
that don't have that default power plan. When you use this task sequence option, it
creates a temporary power plan that's similar to the default for High Performance. This
power plan modifies the timeout values to 0 for standby, monitor, disk, and hibernate
when plugged in. These configurations prevent these devices from falling asleep during
an OS deployment task sequence. After the task sequence completes, it reverts to the
original power plan, and deletes the temporary plan.

） Important

To take advantage of this Configuration Manager feature, after you update the site,
update clients to the latest version. Also update boot images to include the latest
client components. While new functionality appears in the Configuration Manager
console when you update the site and console, the complete scenario isn't
functional until the client version is also the latest.

Configure the task sequence

 1. In the Configuration Manager console, go to the Software Library workspace.
Expand Operating Systems, and select the Task Sequences node.

2. Select the task sequence to configure, and then in the ribbon select Properties.

3. Switch to the More Options tab.

 Tip

In version 2111 and earlier, this tab is named Performance.

4. Enable the option to Run as high performance power plan.

２ Warning

Be cautious with this setting on low performance hardware. Running intense system
operations for an extended period of time can strain low-end hardware. Check with
your hardware manufacturer for specific guidance.

Known issues
Usually, when you change settings in task sequence properties, it updates all existing
deployments. When you change this performance setting in the task sequence
properties, it doesn't affect any existing deployments of the task sequence. To enable or
disable this setting for high performance, create a new task sequence deployment.

Next steps
Distribute referenced content
Distribute referenced content
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Before clients run a task sequence that references content, distribute that content to
distribution points. At any time, you can select the task sequence and distribute its
content to build a new list of reference packages for distribution. If you make changes
to the task sequence with updated content, redistribute the content before it's available
to clients.

Distribute content
Use the following procedure to distribute the content that is referenced by a task
sequence:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Task Sequences node.

2. In the Task Sequence list, select the task sequence that you want to distribute.

3. On the Home tab of the ribbon, in the Deployment group, select Distribute
Content. This action starts the Distribute Content Wizard.

4. On the General page, verify that the correct task sequence is selected for
distribution.

5. On the Content page, verify the content to distribute, such as the boot image
referenced by the task sequence.

6. On the Content Destination page, specify the collections, distribution point, or

distribution point group where you want to distribute the task sequence contents.

） Important

If the task sequence that you selected references content that's already
distributed to a specific distribution point, the wizard doesn't list that
distribution point.

7. Complete the wizard.

Prestage content
You can also prestage the content referenced in the task sequence. Configuration
Manager creates a compressed, prestaged content file that contains the files, associated
dependencies, and associated metadata for the content that you select. Then you
manually import the content at a site server, secondary site, or distribution point. For
more information about how to prestage content files, see Prestage content.

Next steps
Reduce the size of task sequence policy

Deploy a task sequence

Reduce the size of task sequence policy
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

When the size of the task sequence policy exceeds 32 MB, the client fails to process the
large policy. The client then fails to run the task sequence deployment. The size of the
task sequence as stored in the site database is smaller, but can still cause problems if
too large. When the client processes the entire task sequence policy, the expanded size
can cause problems over 32 MB.

To check for the 32-MB task sequence policy size on clients, use management insights.

Configuration Manager restricts the following actions for a task sequence in the site
database that's greater than 2 MB in size:

Save changes in the task sequence editor

Save changes with PowerShell cmdlets
Import a new task sequence
Any other change using supported SDK methods

For example, if you try to save changes to a large task sequence, the task sequence
editor will display an error.

 Tip

The behavior in version 2010 and later checks for the 2 MB size limit on the task
sequence as stored in the site database. When the client processes the entire task
sequence policy, the expanded size can cause problems over 32 MB. The
management insights check for the 32 MB task sequence policy size.

When you view the list of task sequences in the Configuration Manager console, add the
Size (KB) column. Use this column to identify large task sequences that can cause
problems.

Actions to reduce task sequence size

To help reduce the size of task sequences and task sequence deployment policies, take
the following actions:
 Separate functional segments into child task sequences, and use the Run Task
Sequence step. Keep each task sequence less than 2 MB in the database. Each task
sequence has a separate 32-MB limit on its policy size.

７ Note

Reducing the total number of steps and groups in a task sequence has
minimal impact on the policy size. Each step is generally a couple of KB in
policy. Moving groups of steps to a child task sequence is more impactful.

Reduce the number of software updates in deployments to the same collection as

the task sequence.

Instead of entering a script in the Run PowerShell Script step, reference it via a
package.

There's an 8-KB limit on the size of the task sequence environment when it runs.
Review the usage of custom task sequence variables, which can also contribute to
the policy size.

As a last resort, split a complex, dynamic task sequence into separate task
sequences with distinct deployments to different collections.

Next steps
Export and import task sequences
Export and import task sequences
Article • 04/13/2023

Applies to: Configuration Manager (current branch)

Export and import task sequences with or without their related objects. Use this process
to move task sequences between hierarchies. For example, you create a task sequence
in a development lab and export it. You then import that task sequence into the
production environment to deploy.

This referenced content includes the following objects:

OS images
Boot images
Packages like the client install package
Driver packages
Applications with dependencies
Other task sequences referenced with the Run task sequence step

Consider the following points when you export and import task sequences:

Configuration Manager doesn't export passwords in the task sequence. If you

export and import a task sequence that contains passwords, edit the imported task
sequence to reenter any passwords. Review the following steps that may include a
password:
Join Domain or Workgroup
Connect To Network Folder
Run Command Line

When you export a task sequence with the Set Dynamic Variables step,
Configuration Manager doesn't export values for variables that you configure with
the Secret value setting. Reenter the values for these variables after you import the
task sequence.

When you have multiple primary sites, import task sequences at the central
administration site.

Export
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Task Sequences node.
 2. In the Task Sequence list, select the task sequences that you want to export. If you
select more than one task sequence, they're all stored in one export file.

3. On the Home tab of the ribbon, in the Task Sequence group, select Export. This
action starts the Export Task Sequence Wizard.

4. On the General page, specify the following settings:

File: Specify the location and name of the export file. If you enter the file
name directly, be sure to include the .zip extension to the file name. If you
browse for the export file, the wizard automatically adds this file name
extension.

If you don't want to export task sequence dependencies, deselect the option
to Export all task sequence dependencies. By default, the wizard scans for all
the related objects and exports them with the task sequence. These
dependencies include any for applications and child task sequences.

If you don't want to copy the content from the package source to the export
location, deselect the option to Export all content for the selected task
sequences and dependencies. If you select this option, the Import Task
Sequence Wizard uses the import path as the new package source location.

Administrator comments: Add a description of the task sequences to export.

5. Complete the wizard.

The wizard creates the following output files:

If you don't export content: a .zip file.

If you export content: a .zip file and a folder named export_files, where export is the
name of the .zip file that contains the exported content.

If you include content when you export a task sequence, make sure that you copy the
.zip file and the export_files folder, or the import fails.

７ Note

If you have a multi-site hierarchy, the export of task sequences should be done
from the central administration site because the primary site may not have the
required permissions to all the artifacts.
Import
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Import Task Sequence.
This action starts the Import Task Sequence Wizard.

3. On the General page of the ribbon, specify the exported .zip file.

4. On the File Content page, select the action that you require for each object that
you import. This page shows all the objects that Configuration Manager found to
import.

If the object has never been imported, select Create New.

If the object has been previously imported, select one of the following
actions:

Ignore Duplicate (default): This action doesn't import the object. Instead,
the wizard links the existing object to the task sequence.

Overwrite: This action overwrites the existing object with the imported
object. For applications, you can add a revision to update the existing
application or create a new application.

5. Complete the wizard.

After you import the task sequence, edit the task sequence to specify any passwords
that were in the original task sequence. For security reasons, passwords aren't exported.

 Tip

When you import an object in the Configuration Manager console, it imports to the
current folder. In earlier versions of Configuration Manager, it always put imported
objects in the root node.

Next steps
Deploy a task sequence
Deploy a task sequence
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you create a task sequence, and distribute the referenced content, deploy it to a
device collection. This action allows the task sequence to run on a device. A deployed
task sequence can run automatically, or when installed by a user of the device.

２ Warning

You can manage the behavior for high-risk task sequence deployments. A high-risk
deployment is a deployment that is automatically installed and has the potential to
cause unwanted results. For example, a task sequence that has a purpose of
Required that deploys an OS is considered a high-risk deployment. For more
information, see Settings to manage high-risk deployments.

Process
Use the following procedure to deploy a task sequence to the computers in a collection.

７ Note

The status messages for the task sequence deployment are displayed in the
message window on a primary site, but they aren't displayed on a central
administration site.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Task Sequences node.

2. In the Task Sequence list, select the task sequence that you want to deploy.

3. On the Home tab of the ribbon, in the Deployment group, select Deploy.

７ Note

If Deploy isn't available, the task sequence has a reference that's not valid.
Correct the reference and then try to deploy the task sequence again.
4. On the General page, specify the following information.

Task sequence: Specify the task sequence to deploy. By default, this box
displays the selected task sequence.

Collection: Select the collection that contains the computers to run the task
sequence.

Don't deploy a task sequence that installs an OS to inappropriate collections,

such as a collection of all your data center servers. Be sure that the selected
collection contains only those computers that you want to run the task
sequence.

For more information about high-risk deployments, see High-risk

deployments.

Use default distribution point groups associated to this collection: Store the
task sequence content on the collection's default distribution point group. If
you haven't associated the selected collection with a distribution point group,
this option is grayed out.

Automatically distribute content for dependencies: If any referenced

content has dependencies, then the site also sends dependent content to
distribution points.

Pre-download content for this task sequence: For more information, see
Configure pre-cache content.

Select Deployment Template: Save and specify a deployment template for a

task sequence.

） Important

Some items aren't saved in the template. Make sure you apply the
following items when you run the deployment wizard:
Software Installation
Scheduling
Pre-download content

Comments (optional): Specify additional information that describes this

deployment of the task sequence.

5. On the Deployment Settings page, specify the following information:

Purpose: From the drop-down list, choose one of the following options:

Available: The user sees the task sequence in Software Center and can
install it on demand.

Required: Configuration Manager automatically runs the task sequence

according to the configured schedule. If the task sequence isn't hidden, a
user can still track its deployment status. They can also use Software
Center to install the task sequence before the deadline.

７ Note

If multiple users are signed into the device, package and task sequence
deployments may not appear in Software Center.

Make available to the following: Specify whether the task sequence is

available to one of the following types:
Only Configuration Manager clients
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)

） Important

Use the Only media and PXE (hidden) setting for automated task
sequence deployments. To have the computer automatically boot to the
deployment with no user interaction, select Allow unattended operating
system deployment and set the SMSTSPreferredAdvertID variable as
part of the media. For more information about task sequence variables,
see Task sequence variables.

Send wake-up packets: If the deployment is Required and you select this
option, the site sends a wake-up packet to computers before the client runs
the deployment. This packet wakes the computer from sleep at the
installation deadline time. Before using this option, computers and networks
must be configured for Wake On LAN. For more information, see Plan how to
wake up clients.

Allow clients on a metered Internet connection to download content after

the installation deadline, which might incur additional costs: This option is
only available for Required deployments. When you have a custom task
 sequence that installs an application but doesn't deploy an OS, you can
specify whether to allow clients to download content after an installation
deadline when they use metered internet connections. Internet providers
sometimes charge by the amount of data that you use when you're on a
metered internet connection.

７ Note

While using a metered internet connection might work for task

sequences that don't deploy an OS, it's not supported.

6. On the Scheduling page, specify the following information:

） Important

When a Windows PE client starts from PXE or boot media, the client doesn't
evaluate deployment schedules. These schedules include start, expire, and
deadline times. Only configure schedules in deployments to clients that start
from the full Windows OS. Consider using other methods, such as
maintenance windows, to control active task sequences deployed to clients
that start from Windows PE.

Schedule when this deployment will become available: Specify the date and
time when the task sequence is available to run on the destination computer.
When you select the UTC option, the task sequence is available for multiple
computers at the same time. Otherwise the deployment is available at
different times, according to the local time on each computer.

If the start time is earlier than the required time, the client downloads the
task sequence content at the start time.

Schedule when this deployment will expire: Specify the date and time when
the task sequence expires on the destination computer. When you select the
UTC option, the task sequence expires on multiple destination computers at
the same time. Otherwise the deployment expires at different times,
according to the local time on each computer.

Assignment schedule: For a Required deployment, specify when the client

runs the task sequence. You can add multiple schedules. The assignment
schedule can have one of the following configurations:
A specific date and time
 Monthly, weekly, or custom recurrence pattern
As soon as possible
Log on or log off events

７ Note

If you schedule a start time for a required deployment that's earlier than
the date and time when the task sequence is available, the Configuration
Manager client downloads the content at the assigned start time. This
behavior occurs even though you scheduled the task sequence to be
available at a later time.

Rerun behavior: Specify when the task sequence reruns. Select one of the
following options:

Never rerun deployed program: If the client has previously run the task
sequence, it doesn't rerun. The task sequence doesn't rerun even if it
originally failed or the task sequence files have changed.

Always rerun program: The task sequence always reruns on the client
when the deployment is scheduled. It reruns even if the task sequence has
already run successfully. This setting is useful when you use recurring
deployments in which the task sequence is routinely updated.

） Important

This option is selected by default. However, it has no effect until you

assign a required deployment. A user can always rerun available
deployments.

Rerun if failed previous attempt: The task sequence reruns when the
deployment is scheduled, only if it previously failed to run. This setting is
useful for a required deployment. If the last attempt to run was
unsuccessful, it automatically tries to rerun according to the assignment
schedule.

Rerun if succeeded on previous attempt: The task sequence reruns only if

it previously ran successfully on the client. This setting is useful when you
use recurring deployments in which the task sequence is routinely
updated, and each update requires that the previous update is installed
successfully.
 ７ Note

A user can rerun an available task sequence deployment. Before you

deploy an available task sequence in a production environment, first test
what happens if a user reruns the task sequence multiple times.

7. On the User Experience page, specify the following information:

Allow user to run the program independently of assignments: Specify

whether a user can run a required deployment outside of the assignment
schedule. This option is always enabled for available deployments.

Show Task Sequence progress: Specify whether the Configuration Manager

client displays the progress of the task sequence.

Software installation: Specify whether the user is allowed to install software

outside a configured maintenance window after the scheduled time.

System restart (if required to complete the installation): Specify whether the
user is allowed to restart the computer after a software installation outside a
configured maintenance window after the assignment time.

Write filter handling for Windows Embedded devices: This setting controls
the installation behavior on Windows Embedded devices that are enabled
with a write filter. Choose the option to commit changes at the installation
deadline or during a maintenance window. When you select this option, a
restart is required and the changes persist on the device. Otherwise, the
application is installed to the temporary overlay, and committed later. When
you deploy a task sequence to a Windows Embedded device, make sure the
device is a member of a collection that has a configured maintenance
window.

Allow task sequence to run for client on the Internet: Specify whether the
task sequence is allowed to run on an internet-based client. For more
information, see Deploy a task sequence over the internet.

8. On the Alerts page, specify the alert settings that you want for this task sequence
deployment.

9. On the Distribution Points page, specify the following information:

Deployment options: For more information, see Deployment options.

 Allow clients to use distribution points from the neighbor boundary group:
Specify whether clients can use distribution points from a neighbor boundary
group to download the content that's required by the task sequence.

Allow clients to use distribution points from the default site boundary
group: Specify if clients should download content from a distribution point in
the site default boundary group, when it isn't available from a distribution
point in the current or neighbor boundary groups.

７ Note

When a device runs a task sequence and needs to acquire content, it

uses boundary group behaviors similar to the Configuration Manager
client. For more information, see Task sequence support for boundary
groups.

10. Starting in version 2103, if you use a feature update with the Upgrade OS task
sequence step, the wizard also includes the Deployment Package page. Select one
of the following options:

Select a deployment package: Add the feature updates to an existing

deployment package.

Create a new deployment package: Add the feature updates to a new

deployment package.

No deployment package: When clients run the task sequence, they

download the feature update from peers or the Microsoft cloud.

For more information on these options, see step 11 for the Deployment Package
page when you Create an automatic deployment rule (ADR).

11. To save these settings to use again, on the Summary tab select Save As Template.
Supply a name for the template and select the settings to save.

12. Complete the wizard.

Deployment options
These options are on the Distribution Points tab of the task sequence deployment.
They're dynamic based upon other selections in the deployment and attributes of the
task sequence. You may not always see all options.
 ７ Note

When you use multicast to deploy an OS, download the content to the computers
either as needed or before the task sequence runs.

Download content locally when needed by the running task sequence: Specify
that clients download content from the distribution point as it's needed by the task
sequence. The client starts the task sequence. When a step in the task sequence
requires content, it's downloaded before the step runs.

Download all content locally before starting task sequence: Specify that clients
download all the content from the distribution point before the task sequence
runs. If you make the task sequence available to PXE and boot media deployments
on the Deployment Settings page, this option isn't shown.

Access content directly from a distribution point when needed by the running
task sequence: Specify that clients run the content from the distribution point. This
option is only available when you enable all packages associated with the task
sequence to use a package share on the distribution point. To enable content to
use a package share, see the Data Access tab in the Properties for each package.

） Important

For greatest security, select the options to Download content locally when needed
by the running task sequence or Download all content locally before starting task
sequence. When you select either of these options, Configuration Manager hashes
the package, so that it can ensure package integrity. When you select the option to
Access content directly from a distribution point when needed by the running
task sequence, Configuration Manager doesn't verify the package hash prior to
running the specified program. Because the site can't ensure package integrity, it's
possible for users with administrative rights to alter or tamper with package
contents.

Example 1: One deployment option

You deploy an OS deployment task sequence that wipes the disk and applies an image.
On the Deployment Settings page, you make it available to an option that includes
media and PXE:
On the Distribution Points page, there's only one deployment option:

Download content locally when needed by the running task sequence

The option to Download all content locally before starting task sequence isn't
available because the deployment is made available to media and PXE.

The option to Access content directly from a distribution point when needed by the
running task sequence isn't available. Not all of the referenced content uses a package
share.

Example 2: Two deployment options

You deploy an OS deployment task sequence that wipes the disk and applies an image.
On the Deployment Settings page, you make it available to Only Configuration
Manager clients. On the Distribution Points page, there are two deployment options
available:

Download content locally when needed by the running task sequence

Download all content locally before starting task sequence

The option to Access content directly from a distribution point when needed by the
running task sequence isn't available. Not all of the referenced content uses a package
share.

Example 3: Three deployment options

You have several packages with administrative scripts and associated content. On the
Data Access tab of the package properties, you configure all of them to Copy the
content in this package to a package share on distribution points.

You create a task sequence that only has several Install Package steps for these script
packages, and the deploy it. On the Deployment Settings page, the only option is to
make available to Only Configuration Manager clients. This option is the only available.
The task sequence isn't for OS deployment, because it doesn't have a boot image
associated with it. On the Distribution Points page, there are three deployment options
available:

Download content locally when needed by the running task sequence

Download all content locally before starting task sequence
Access content directly from a distribution point when needed by the running
task sequence

Deploy Windows in-place upgrade via CMG

The Windows in-place upgrade task sequence supports deployment to internet-based
clients managed through the cloud management gateway (CMG). This ability allows
remote users to more easily upgrade Windows without needing to connect to the
intranet.

For more information, see Deploy a task sequence over the internet.

High-risk deployments
When you deploy a high-risk deployment, such as an OS, the Select Collection window
displays only the custom collections that meet the deployment verification settings that
are configured in the site's properties. High-risk deployments are always limited to
custom collections, collections that you create, and the built-in Unknown Computers
collection. When you create a high-risk deployment, you can't select a built-in collection
such as All Systems. To see all custom collections that contain fewer clients than the
configured maximum size, disable the option to Hide collections with a member count
greater than the site's minimum size configuration. For more information, see Settings
to manage high-risk deployments.
The deployment verification settings are based on the current membership of the
collection. After you deploy the task sequence, Configuration Manager doesn't
reevaluate the collection membership for the high-risk deployment settings.

For example, let's say you set Default size to 100 and the Maximum size to 1000. When
you create a high risk deployment, the Select Collection window only displays
collections that contain fewer than 100 clients. If you clear the Hide collections with a
member count greater than the site's minimum size configuration setting, the window
displays collections that contain fewer than 1000 clients.

When you select a collection that contains a site role, the following behavior applies:

If the collection contains a site system server, and you configured the deployment
verification settings to block collections with site system servers, then an error
occurs. You can't continue creating the deployment.

If one of the following criteria applies, then the Deploy Software Wizard displays a
high-risk warning. To continue, you need to agree to create a high-risk
deployment. The site generates an audit status message.

If the collection contains a site system server, and you configured the
deployment verification settings to warn on collections with site system servers

If the collection exceeds the default size value

If the collection contains a server

Next steps
Monitor OS deployments

Debug a task sequence

Deploy a task sequence over the
internet
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Configuration Manager supports various methods to deploy a task sequence to remote

clients over the internet. You can deploy a Windows upgrade, use bootable media, or
start it from Software Center. This article covers the particular configurations for these
scenarios. First use Deploy a task sequence to create the basic deployment. Then use the
configurations in this article to customize it for internet-based clients.

２ Warning

You can manage the behavior for high-risk task sequence deployments. A high-risk
deployment is a deployment that is automatically installed and has the potential to
cause unwanted results. For example, a task sequence that has a purpose of
Required that deploys an OS is considered a high-risk deployment. For more
information, see Settings to manage high-risk deployments.

Allow task sequence to run on internet

On the User Experience page of the Deploy Software Wizard, you can configure the
deployment to Allow task sequence to run for client on the Internet. This setting is
required for all internet-based client scenarios. The following sections cover the main
scenarios when you enable this setting.

７ Note

The task sequence advanced setting to Run another program first doesn't apply to
task sequences that run on clients that communicate via a cloud management
gateway (CMG). This option uses the UNC network path of the package, which isn't
accessible via CMG.

Windows in-place upgrade

Use this setting for deployments of a Windows in-place upgrade task sequence to
internet-based clients through the cloud management gateway (CMG). All supported
versions of Configuration Manager support this scenario. For more information, see
Deploy Windows in-place upgrade via CMG.

Install a Windows imaging task sequence from Software

Center
Starting in version 2006, you can deploy a task sequence with a boot image to a device
that communicates through the CMG. The user needs to start the task sequence from
Software Center.

７ Note

When an Azure Active Directory (Azure AD)-joined client runs an OS deployment

task sequence, the client in the new OS won't automatically join Azure AD. Even
though it's not Azure AD-joined, the client is still managed.

When you run an OS deployment task sequence on an internet-based client, that's

either Azure AD-joined or uses token-based authentication, you need to specify the
CCMHOSTNAME property in the Setup Windows and ConfigMgr step.

Use bootable media to install a Windows imaging task

sequence
Starting in version 2010, you can use bootable media to reimage internet-based devices
that connect through a CMG. This scenario helps you better support remote workers. If
Windows won't start so that the user can access Software Center, you can now send
them a USB drive to reinstall Windows. For more information, see Deploy an OS over
CMG using bootable media.

In version 2002 and earlier, operations that require a boot media aren't supported with
this setting. Allow a task sequence to run on the internet only for generic software
installations or script-based task sequences that run operations in the standard OS.

７ Note

For all internet-based task sequence scenarios in version 2002 and earlier, start the
task sequence from Software Center. They don't support Windows PE, PXE, or task
sequence media.
Deploy Windows in-place upgrade via CMG
The Windows in-place upgrade task sequence supports deployment to internet-based
clients managed through the cloud management gateway (CMG). This ability allows
remote users to more easily upgrade to Windows without needing to connect to the
intranet.

Make sure all of the content referenced by the in-place upgrade task sequence is
distributed to a content-enabled CMG. Enable the CMG setting: Allow CMG to function
as a cloud distribution point and serve content from Azure storage. Otherwise devices
can't run the task sequence.

When you deploy an upgrade task sequence, use the following settings:

Allow task sequence to run for client on the Internet, on the User Experience tab
of the deployment.

Choose one of the following options on the Distribution Points tab of the
deployment:

Download content locally when needed by the running task sequence. The
task sequence engine can download packages on-demand from a content-
enabled CMG. This option provides additional flexibility with your Windows in-
place upgrade deployments to internet-based devices.

Download all content locally before starting task sequence. With this option,
the Configuration Manager client downloads the content from the cloud source
before starting the task sequence.

(Optional) Pre-download content for this task sequence, on the General tab of the
deployment. For more information, see Configure pre-cache content.

７ Note

Start the task sequence from Software Center. This scenario doesn't support
Windows PE, PXE, or task sequence media.

Bootable media support for cloud-based

content
Starting in version 2010, bootable media can download cloud-based content. For
example, you send a USB key to a user at a remote office to reimage their device. Or an
office that has a local PXE server, but you want devices to prioritize cloud services as
much as possible. Instead of further taxing the WAN to download large OS deployment
content, boot media and PXE deployments can now get content from cloud-based
sources. For example, a cloud management gateway (CMG) that you enable to share
content.

７ Note

The device still needs an intranet connection to the management point.

When the task sequence runs, it downloads content from the cloud-based sources.
Review smsts.log on the client.

Prerequisites for bootable media

Enable the following client setting in the Cloud Services group: Allow access to
cloud distribution point. Make sure the client setting is deployed to the target
clients. For more information, see About client settings - Cloud services.

For the boundary group that the client is in:

Associate the content-enabled CMG. For more information, see Configure a

boundary group.

Enable the following option: Prefer cloud based sources over on-premises
sources. For more information, see Boundary group options for peer
downloads.

Distribute the content referenced by the task sequence to the content-enabled

CMG.

Deploy an OS over CMG using bootable media

Starting in version 2010, you can use boot media to reimage internet-based devices that
connect through a CMG. This scenario helps you better support remote workers. If
Windows won't start so that the user can access Software Center, you can now send
them a USB drive to reinstall Windows.

Prerequisites for boot media via CMG

Set up a CMG
 For all content referenced in the task sequence, distribute it to a content-enabled
CMG. For more information, see Distribute content.

Enable the following client settings in the Cloud services group:

Allow access to cloud distribution point

Enable clients to use a cloud management gateway

Configure the Apply Network Settings task sequence step to join a workgroup.
During the task sequence, the device can't join the on-premises Active Directory
domain. It doesn't have connectivity to a domain controller to join the domain.

When you deploy the task sequence to a collection, configure the following
settings:

User experience page: Allow task sequence to run for client on the internet

Deployment settings page: Make available to an option that includes media.

Distribution points page, deployment options: Download content locally when

needed by the running task sequence. For more information, see Deployment
options.

Make sure the device has a constant internet connection while the task sequence
runs. Windows PE doesn't support wireless networks, so the device needs a wired
network connection.

If you use a PKI-based certificate for the boot media, configure it for SHA256 with
the Microsoft Enhanced RSA and AES provider. This certificate configuration is
recommended but not required. The certificate can be a v3 (CNG) certificate.

In versions 2010 and 2103, if you configure the management point to Allow
internet-only connections, then you can't use boot media over a CMG. To work
around this issue, configure the management point to Allow intranet and internet
connections.

If your CMG uses a PKI-based certificate, you need to add the trusted root
certificate to the boot image. Otherwise, Windows PE can't communicate with the
CMG because it doesn't trust the CMG's certificate. For more information, see Add
a trusted root certificate to a boot image.

Create boot media to use a CMG

Start the create task sequence media wizard for bootable media. For more information,
see Create bootable media. Modify the standard process using the following steps:

On the Media Management page of the wizard, select the option for Site-based
media.

On the Security page, set a strong password to protect this media.

On the Boot Image page, under Management point select the Cloud
management gateway from the Add Management Points dialog.

When you boot an internet-connected device using this media, it communicates with
the specified CMG. The boot media downloads the policy for the task sequence
deployment via the CMG. As the task sequence runs, it downloads any additional
content and policies over the internet.

After the task sequence runs, the client uses token-based authentication.

Add a trusted root certificate to a boot image

If your CMG uses a PKI-based certificate, you need to add the trusted root certificate to
the boot image. Otherwise, Windows PE can't communicate with the CMG because it
doesn't trust the CMG's certificate.

Step 1: Export the certificate registry blob

On a system that has the trusted root certificate installed:

1. Open the Start menu. Type run to open the Run window. Open mmc .

2. From the File menu, choose Add/Remove Snap-in....

3. In the Add or Remove Snap-ins dialog box, select Certificates, then select Add.

a. In the Certificates snap-in dialog box, select Computer account, then select
Next.

b. In the Select Computer dialog box, select Local computer, then select Finish.

c. In the Add or Remove Snap-ins dialog box, select OK.

4. Expand Certificates, expand Trusted Root Certification Authorities, and select

Certificates.

5. Select the root certificate. On the Action menu, select Open.

 6. Switch to the Details tab.

7. Copy the value for the certificate's thumbprint. For example,

eb971f84c0c44b9eb22a378fecb45747eb971f84

8. From the Start menu, run regedit .

9. Browse to the following registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Cer

tificates . For more information about this registry key, see System Store
Locations.

10. Select the registry key that matches the root certificate's thumbprint.

11. On the File menu, select Export. Specify a file name, and save the .reg file.

12. Edit the file in Notepad. In the key path, change SOFTWARE to winpe-offline , and
save the file. For example:

[HKEY_LOCAL_MACHINE\winpe-

offline\Microsoft\SystemCertificates\AuthRoot\Certificates\eb971f84c0c44b9eb22
a378fecb45747eb971f84]

13. Copy this file to a location that you can access for the next step.

Step 2: Import the certificate registry blob to the offline boot

image
On a system that has the boot image file:

1. Mount the WIM file. For example, DISM /Mount-image

/imagefile:"C:\Sources\boot.wim" /Index:1 /MountDir:C:\Mount .

2. From the Start menu, run regedit .

3. Select HKEY_LOCAL_MACHINE. On the File menu, select Load Hive.

4. Browse to C:\Mount\Windows\System32\config and select SOFTWARE. This file is the

offline registry hive for the Windows PE image mounted to C:\Mount .

） Important

Make sure this path is to the mounted Windows PE image, not the default
Windows OS path.
 5. Name the key for the loaded hive winpe-offline .

6. On the File menu, select Import. Browse to the modified .reg file that you
previously exported and modified. Select Open.

7. Browse to the following registry key: Computer\HKEY_LOCAL_MACHINE\winpe-

offline\Microsoft\SystemCertificates\AuthRoot\Certificates and confirm that the
new key is added.

8. Select the following registry key: Computer\HKEY_LOCAL_MACHINE\winpe-offline . On

the File menu, select Unload Hive, and select Yes.

9. Close the registry editor and any other windows that reference files in C:\Mount .

10. Unmount the boot image and commit the changes. For example, DISM /Unmount-
image /Commit /MountDir:C:\Mount

The boot image now includes the trusted root certificate.

Next steps
Monitor OS deployments

Manage task sequences to automate tasks

Create phased deployments with
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Phased deployments automate a coordinated, sequenced rollout of software across

multiple collections. For example, deploy software to a pilot collection, and then
automatically continue the rollout based on success criteria. Create phased deployments
with the default of two phases, or manually configure multiple phases.

Create phased deployments for the following objects:

Task sequence
The phased deployment of task sequences doesn't support PXE or media
installation
Application
Software update
You can't use an automatic deployment rule (ADR) with a phased deployment

Prerequisites

Security scope
Deployments created by phased deployments aren't viewable to any administrative user
that doesn't have the All security scope. For more information, see Security scopes.

Distribute content
Before creating a phased deployment, distribute the associated content to a distribution
point.

Application: Select the target application in the console and use the Distribute
Content action in the ribbon. For more information, see Deploy and manage
content.

Task sequence: You have to create referenced objects like the OS upgrade package
before creating the task sequence. Distribute these objects before creating a
deployment. Use the Distribute Content action on each object, or the task
sequence. To view status of all referenced content, select the task sequence, and
 switch to the References tab in the details pane. For more information, see the
specific object type in Prepare for OS deployment.

Software update: create the deployment package and distribute it. Use the
Download Software Updates Wizard. For more information, see Download
software updates.

Phase settings
These settings are unique to phased deployments. Configure these settings when
creating or editing the phases to control the scheduling and behavior of the phased
deployment process.

Optionally, use the following Windows PowerShell cmdlets to manually configure phases
for software update and task sequence phased deployments:

New-CMSoftwareUpdatePhase
New-CMTaskSequencePhase

Criteria for success of the first phase

Deployment success percentage: Specify the percent of devices that need to
successfully complete the deployment for the first phase to succeed. By default,
this value is 95%. In other words, the site considers the first phase successful when
the compliance state for 95% of the devices is Success for this deployment. The
site then continues to the second phase, and creates a deployment of the software
to the next collection.

Number of devices successfully deployed: Specify the number of devices that

need to successfully complete the deployment for the first phase to succeed. This
option is useful when the size of the collection is variable, and you have a specific
number of devices to show success before moving to the next phase.

Conditions for beginning second phase of deployment

after success of the first phase
Automatically begin this phase after a deferral period (in days): Choose the
number of days to wait before beginning the second phase after the success of the
first. By default, this value is one day.

Manually begin the second phase of deployment: The site doesn't automatically
begin the second phase after the first phase succeeds. This option requires that
 you manually start the second phase. For more information, see Move to the next
phase.

７ Note

This option isn't available for phased deployments of applications.

Gradually make this software available over this period of

time (in days)
Configure this setting for the rollout in each phase to happen gradually. This behavior
helps mitigate the risk of deployment issues, and decreases the load on the network
that is caused by the distribution of content to clients. The site gradually makes the
software available depending on the configuration for each phase. Every client in a
phase has a deadline relative to the time the software is made available. The time
window between the available time and deadline is the same for all clients in a phase.
The default value of this setting is zero, so by default the deployment isn't throttled.
Don't set the value higher than 30.
Configure the deadline behavior relative to when the
software is made available
Installation is required as soon as possible: Set the deadline for installation on the
device as soon as the device is targeted.

Installation is required after this period of time: Set a deadline for installation a
certain number of days after device is targeted. By default, this value is seven days.

Automatically create a default two-phase

deployment
1. Start the Create Phased Deployment wizard in the Configuration Manager console.
This action varies based on the type of software you're deploying:

Application: Go to the Software Library, expand Application Management,

and select Applications. Select an existing application, and then choose
Create Phased Deployment in the ribbon.
 Software update: Go to the Software Library, expand Software Updates, and
select All Software Updates. Select one or more updates, and then choose
Create Phased Deployment in the ribbon.

This action is available for software updates from the following nodes:
Software Updates
All Software Updates
Software Update Groups
Windows Servicing, All Windows Updates
Office 365 Client Management, Office 365 Updates

Task sequence: Go to the Software Library workspace, expand Operating

Systems, and select Task Sequences. Select an existing task sequence, and
then choose Create Phased Deployment in the ribbon.

2. On the General page, give the phased deployment a Name, Description (optional),
and select Automatically create a default two phase deployment.

3. Select Browse and choose a target collection for both the First Collection and
Second Collection fields. For a task sequence and software updates, select from
device collections. For an application, select from user or device collections. Select
Next.

） Important

The Create Phased Deployment wizard doesn't notify you if a deployment is

potentially high-risk. For more information, see Settings to manage high-risk
deployments and the note when you Deploy a task sequence.

4. On the Settings page, choose one option for each of the scheduling settings. For
more information, see Phase settings. Select Next when complete.

5. On the Phases page, see the two phases that the wizard creates for the specified
collections. Select Next. These instructions cover the procedure to automatically
create a default two-phase deployment. The wizard lets you add, remove, reorder,
edit, or view phases for a phased deployment. For more information on these
additional actions, see Create a phased deployment with manually configured
phases.

6. Confirm your selections on the Summary tab, and then select Next to complete
the wizard.
 ７ Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see the old name in the Configuration Manager product and
documentation while the console is being updated.

Optionally, use the following Windows PowerShell cmdlets for this task:

New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment

Create a phased deployment with manually

configured phases
Create a phased deployment with manually configured phases for a task sequence. Add
up to 10 additional phases from the Phases tab of the Create Phased Deployment
wizard.

７ Note

You can't currently manually create phases for an application. The wizard
automatically creates two phases for application deployments.

1. Start the Create Phased Deployment wizard for either a task sequence or software
updates.

2. On the General page of the Create Phased Deployment wizard, give the phased
deployment a Name, Description (optional), and select Manually configure all
phases.

3. From the Phases page of the Create Phased Deployment wizard, the following
actions are available:

Filter the list of deployment phases. Enter a string of characters for a case-
insensitive match of the Order, Name, or Collection columns.

Add a new phase:

a. On the General page of the Add Phase Wizard, specify a Name for the
phase, and then browse to the target Phase Collection. The additional
settings on this page are the same as when normally deploying a task
sequence or software updates.

b. On the Phase Settings page of the Add Phase Wizard, configure the
scheduling settings, and select Next when complete. For more
information, see Settings.

７ Note

You can't edit the phase settings, Deployment success percentage or

Number of devices successfully deployed, on the first phase. These
settings only apply to phases that have a previous phase.

c. The settings on the User Experience and Distribution Points pages of the
Add Phase Wizard are the same as when normally deploying a task
sequence or software updates.

d. Review the settings on the Summary page, and then complete the Add
Phase Wizard.

Edit: This action opens the selected phase's Properties window, which has
tabs the same as the pages of the Add Phase Wizard.

Remove: This action deletes the selected phase.

２ Warning

There is no confirmation, and no way to undo this action.

Move Up or Move Down: The wizard orders the phases by how you add
them. The most recently added phase is last in the list. To change the order,
select a phase, and then use these buttons to move the phase's location in
the list.

） Important

Review the phase settings after changing the order. Make sure the
following settings are still consistent with your requirements for this
phased deployment:
Criteria for success of the previous phase
 Conditions for beginning this phase of deployment after success of
the previous phase

4. Select Next. Review the settings on the Summary page, and then complete the
Create Phased Deployment wizard.

Optionally, use the following Windows PowerShell cmdlets for this task:

New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequenceManualPhasedDeployment

After you create a phased deployment, open its properties to make changes:

Add additional phases to an existing phased deployment.

If a phase isn't active, you can Edit, Remove, or Move it up or down. You can't
move it before an active phase.

When a phase is active, it's read-only. You can't edit it, remove it, or move its
location in the list. The only option is to View the properties of the phase.

An application phased deployment is always read-only.

Next steps
Manage and monitor phased deployments:

Application
Software update
Task sequence
Manage and monitor phased
deployments
Article • 10/04/2022

This article describes how to manage and monitor phased deployments. Management
tasks include manually beginning the next phase, and suspend or resume a phase.

First, you need to create a phased deployment:

Application
Software update
Task sequence

Move to the next phase

When you select the setting, Manually begin the second phase of deployment, the site
doesn't automatically start the next phase based on success criteria. You need to move
the phased deployment to the next phase.

1. How to start this action varies based on the type of deployed software:

Application: Go to the Software Library workspace, expand Application

Management, and select Applications.

Software update: Go to the Software Library workspace, and then select one
of the following nodes:
Software Updates
All Software Updates
Software Update Groups
Windows Servicing, All Windows Updates
Office 365 Client Management, Office 365 Updates

Task sequence: Go to the Software Library workspace, expand Operating

Systems, and select Task Sequences.

2. Select the software with the phased deployment.

3. In the details pane, switch to the Phased Deployments tab.

4. Select the phased deployment, and click Move to next phase in the ribbon.
Optionally, use the following Windows PowerShell cmdlet for this task: Move-
CMPhasedDeploymentToNext.

Suspend and resume phases

You can manually suspend or resume a phased deployment. For example, you create a
phased deployment for a task sequence. While monitoring the phase to your pilot
group, you notice a large number of failures. You suspend the phased deployment to
stop further devices from running the task sequence. After resolving the issue, you
resume the phased deployment to continue the rollout.

1. How to start this action varies based on the type of deployed software:

Application: Go to the Software Library workspace, expand Application

Management, and select Applications.

Software update: Go to the Software Library workspace, and then select one
of the following nodes:
Software Updates
All Software Updates
Software Update Groups
Windows Servicing, All Windows Updates
Office 365 Client Management, Office 365 Updates

Task sequence: Go to the Software Library workspace, expand Operating

Systems, and select Task Sequences. Select an existing task sequence, and
then click Create Phased Deployment in the ribbon.

2. Select the software with the phased deployment.

3. In the details pane, switch to the Phased Deployments tab.

4. Select the phased deployment, and click Suspend or Resume in the ribbon.
 ７ Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365
Apps for enterprise. For more information, see Name change for Office 365
ProPlus. You may still see the old name in the Configuration Manager product and
documentation while the console is being updated.

Optionally, use the following Windows PowerShell cmdlets for this task:

Suspend-CMPhasedDeployment
Resume-CMPhasedDeployment

Monitor
Phased deployments have their own dedicated monitoring node, making it easier to
identify phased deployments you have created and navigate to the phased deployment
monitoring view. From the Monitoring workspace, select Phased Deployments, then
double-click one of the phased deployments to see the status.
This dashboard shows the following information for each phase in the deployment:

Total devices or Total resources: How many devices are targeted by this phase.

Status: The current status of this phase. Each phase can be in one of the following
states:

Deployment created: The phased deployment created a deployment of the

software to the collection for this phase. Clients are actively targeted with this
software.

Waiting: The previous phase hasn't yet reached the success criteria for the
deployment to continue to this phase.

Suspended: An administrator suspended the deployment.

Progress: The color-coded deployment states from clients. For example: Success, In
Progress, Error, Requirements Not Met, and Unknown.
Success criteria tile
Use the Select Phase drop-down list to change the display of the Success Criteria tile.
This tile compares the Phase Goal against the current compliance of the deployment.
With the default settings, the phase goal is 95%. This value means that the deployment
needs a 95% compliance to move to the next phase.

In the example, the phase goal is 65%, and the current compliance is 66.7%. The phased
deployment automatically moved to the second phase, because the first phase met the
success criteria.

The phase goal is the same as the Deployment success percentage on the Phase
Settings for the next phase. For the phased deployment to start the next phase, that
second phase defines the criteria for success of the first phase. To view this setting:

1. Go to the phased deployment object on the software, and open the Phased
Deployment Properties.

2. Switch to the Phases tab. Select Phase 2 and click View.

3. In the phase Properties window, switch to the Phase Settings tab.

4. View the value for Deployment success percentage in the Criteria for success of the
previous phase group.

For example, the following properties are for the same phase as the success criteria tile
shown above where the criteria is 65%:
PowerShell
Use the following Windows PowerShell cmdlets to manage phased deployments:

Automatically create phased deployments

New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment

Manually create phased deployments

New-CMSoftwareUpdatePhase
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequencePhase
New-CMTaskSequenceManualPhasedDeployment
Get existing phased deployment objects
Get-CMApplicationPhasedDeployment
Get-CMSoftwareUpdatePhasedDeployment
Get-CMTaskSequencePhasedDeployment
Get-CMPhase

Monitor phased deployment status

Get-CMPhasedDeploymentStatus

Manage existing phased deployments

Move-CMPhasedDeploymentToNext
Resume-CMPhasedDeployment
Suspend-CMPhasedDeployment

Modify existing phased deployments

Set-CMApplicationPhasedDeployment
Set-CMSoftwareUpdatePhase
Set-CMSoftwareUpdatePhasedDeployment
Set-CMTaskSequencePhase
Set-CMTaskSequencePhasedDeployment
Remove-CMApplicationPhasedDeployment
Remove-CMSoftwareUpdatePhasedDeployment
Remove-CMTaskSequencePhasedDeployment
Manage Windows as a service using
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

In Configuration Manager, you can view the state of Windows as a service in your
environment. Create servicing plans to form deployment rings, and keep Windows
systems up to date when new builds are released. You can also view alerts when
Windows clients are near end of support for the build version.

For more information about Windows servicing options, see Overview of Windows as a
Service.

Prerequisites
For Configuration Manager version 2203 or later, the WebView2 console extension
must be installed. If needed, select the notification bell in the top right corner of
the console to install the extension.

Windows computers must use Configuration Manager software updates with

Windows Server Update Services (WSUS) for software update management. When
a computer uses Windows Update for Business or Windows Insiders, it isn't
evaluated in Windows servicing plans. For more information, see Integration with
Windows Update for Business.

Use a supported WSUS version:

WSUS 10.0.14393, a role in Windows Server 2016
WSUS 10.0.17763, a role in Windows Server 2019
WSUS 6.3, a role in Windows Server 2012 R2. Also install KB 3095113 and KB
3159706 or later.

Enable heartbeat discovery. The data that the Windows servicing dashboard
displays comes from discovery. For more information, see Configure heartbeat
discovery.

 Tip

The following Windows channel and build information is discovered and

stored in the following attributes:
 Operating System Readiness Branch: Specifies the Windows channel.
Don't defer upgrades ( 0 ): The semi-annual channel - targeted
Defer upgrades ( 1 ): The semi-annual channel
LTSB ( 2 ): The long-term servicing channel (LTSC)

Operating System Build: Specifies the OS build. For example, 10.0.18362

for Windows 10, version 1903, or 10.0.19041 for Windows 10, version
2004.

Configure the service connection point for Online, persistent connection mode.
When the site is in offline mode, you don't see data updates in the dashboard until
you get Configuration Manager servicing updates. For more information, see
About the service connection point.

Configure and synchronize software updates. Before any Windows feature

upgrades are available in the Configuration Manager console, select the Upgrades
classification, and synchronize software updates. For more information, see
Prepare for software updates management.

Verify the configuration of the following client settings, to make sure they're
appropriate for your environment:
Specify thread priority for feature updates
Enable Dynamic Update for feature updates

Windows servicing dashboard in version 2103

or later
(Introduced in version 2103)

Starting in version 2103, the Windows Servicing dashboard was simplified to make it
more relevant. Servicing plan and Windows 10 ring information were removed from the
dashboard. The following charts are displayed for the selected Collection:

Feature Update Versions: Displays the distribution of Windows major releases. This
chart as previously called Windows 10 Usage.

Quality Update Versions: This chart displays the top five revisions of Windows across
your devices.

Windows 10 Latest Feature Update (added in 2111): This chart shows the number of
devices that installed the latest feature update for Windows 10.
Windows 11 Latest Feature Update (added in 2111): This chart shows the number of
devices that installed the latest feature update for Windows 11.

Latest Feature Update (versions 2103 and 2107): This chart shows the number of
devices that installed the latest feature update.

Collection Errors: This tile shows the number of devices that failed with the specified
error code. For more information, see Analyze SetupDiag errors.

Errors Timeline: Displays the top errors and the number of devices with each error over
the course of time for the chosen collection.

） Important

The Windows Servicing dashboard in Configuration Manager versions 2103

and 2107 includes Windows 11 devices with the latest version of Windows 10.
 They don't distinguish a version for Windows 11.
The information shown in the Windows servicing dashboard is provided for
your convenience and only for use internally within your company. You should
not solely rely on this information to confirm update compliance. Be sure to
verify the accuracy of the information provided to you. For more detailed
information about Windows builds, see the Product Lifecycle dashboard.

Windows 10 servicing dashboard in version

2010 and earlier
The Windows 10 servicing dashboard provides you with information about Windows 10
computers in your environment, servicing plans, and compliance information. The data
in the Windows 10 servicing dashboard is dependent on the service connection point.
The dashboard has the following tiles:

Windows 10 Usage: Provides a breakdown of public builds of Windows 10.

Windows Insiders builds are listed as Other, and any builds that aren't yet known
to your site. The service connection point downloads metadata that informs it
about the Windows builds, and then this data is compared against discovery data.

Windows 10 Rings: Provides a breakdown of Windows 10 by channel and

readiness state. The LTSC segment includes all LTSC versions.

Create Service Plan: Provides a quick way to create a servicing plan. You specify
the name, collection, deployment package, and readiness state. It only displays the
top 10 collections by size, smallest first, and the top 10 deployment packages by
most recently modified. It uses default values for the other settings. Select
Advanced Settings to start the Create Servicing Plan wizard, where you can
configure all of the service plan settings.

Expired: Displays the percentage of devices that are on a build of Windows 10

that's past its end of service. Configuration Manager determines the percentage
from the metadata downloaded by the service connection point and compares it
against discovery data. A build that's past its end of service is no longer receiving
monthly cumulative updates, which include security updates. Upgrade the
computers in this category to the latest build version. Configuration Manager
rounds up to the next whole number. For example, if you have 10,000 computers
and only one on an expired build, the tile displays 1% .
 Expire Soon: Displays the percentage of computers that are on a build that's within
four months of its end of service. It's similar to the Expired tile otherwise.

Alerts: Displays any active alerts.

Service Plan Monitoring: Displays servicing plans that you've created and a chart
of the compliance for each. This tile gives you a quick overview of the current state
of the servicing plan deployments. If an earlier deployment ring meets your
expectations for compliance, then you can select a later servicing plan (deploying
ring). Select Deploy Now instead of waiting for the servicing plan rules to
automatically trigger.

Collection errors: Starting in version 2010, this tile shows the number of devices
that failed with the specified error code. You can scope the tile to a specific
collection. For more information, see Analyze SetupDiag errors.

For more detailed information about Windows 10 builds, see the Product Lifecycle
dashboard.

） Important

The information shown in the Windows 10 servicing dashboard is provided for your
convenience and only for use internally within your company. You should not solely
rely on this information to confirm update compliance. Be sure to verify the
accuracy of the information provided to you.

Drill through required updates

You can drill through compliance statistics to see which devices require a specific
Windows feature update. To view the device list, you need permission to view updates
and the collections the devices belong to.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Windows Servicing, and select the All Windows Feature Updates node.

2. Select any update that is required by at least one device.

3. Look at the Summary tab and find the pie chart under Statistics.

4. To drill down into the device list, select View Required next to the pie chart. This
action takes you to a temporary node under Devices. Here you can see the devices
requiring the update. You can also take actions for the node such as creating a new
collection from the list.
Servicing plan workflow
Windows servicing plans in Configuration Manager are much like automatic deployment
rules for software updates. You create a servicing plan with the following criteria that
Configuration Manager evaluates:

Upgrades classification: Only updates that are in the Upgrades classification are
evaluated.

Readiness state: The readiness state defined in the servicing plan is compared with
the readiness state for the upgrade. The metadata for the upgrade is retrieved
when the service connection point checks for updates.

Time deferral: The number of days that you specify for How many days after
Microsoft has published a new upgrade would you like to wait before deploying
in your environment in the servicing plan. If the current date is after the release
date plus the configured number of days, Configuration Manager evaluates
whether to include an upgrade in the deployment.

When an upgrade meets the criteria, the servicing plan adds the upgrade to the
deployment package, distributes the package to distribution points, and deploys
the upgrade to the collection. It does these actions based on the settings that you
configure in the servicing plan. Monitor the deployments with the Service Plan
Monitoring tile on the Windows servicing dashboard. For more information, see
Monitor software updates.

７ Note

Windows 10, version 1903 and later was added to Microsoft Update as its own
product rather than being part of the Windows 10 product like earlier versions. This
change caused you to do a number of manual steps to make sure that your clients
see these updates. We've helped reduce the number of manual steps you have to
take for the new product in Configuration Manager version 1906. For more
information, see Configuring products for versions of Windows 10.

Windows servicing plan

As you deploy Windows, you can create one or more servicing plans. These plans define
the deployment rings that you want in your environment. Then monitor them in the
Windows servicing dashboard. Servicing plans use only the Upgrades software updates
classification, not cumulative updates for Windows. For cumulative updates, continue to
use the software updates workflow. The end-user experience with a servicing plan is the
same as with software updates, including the settings that you configure in the servicing
plan.

７ Note

You can use a task sequence to deploy an upgrade for each Windows build, but it
requires more manual work. You would need to import the updated source files as
an OS upgrade package, and then create and deploy the task sequence to the
appropriate set of computers. However, a task sequence provides additional
customized options, such as the pre-deployment and post-deployment actions.

You can create a basic servicing plan from the Windows servicing dashboard. After you
specify the name, collection, deployment package, and readiness state, Configuration
Manager creates the servicing plan with default values for the other settings. You can
also start the Create Servicing Plan wizard to configure all of the settings.

Create a servicing plan with the Create Servicing Plan

wizard
1. In the Configuration Manager console, go to the Software Library workspace,
expand Windows Servicing, and then select the Servicing Plans node.

2. On the Home tab of the ribbon, in the Create group, select Create Servicing Plan.

3. On the General page of the Create Servicing Plan Wizard, configure the following
settings:

Name: Specify the name for the servicing plan. The name must be unique,
help to describe the goal of the servicing plan, and identify it from others in
the Configuration Manager site. The name can't include the following
characters: less than ( < ), greater than ( > ), or ampersand ( & ).

Description: Optionally, specify a description for the servicing plan. The

description could provide an overview of the servicing plan. You might note
any other relevant information that helps to identify and differentiate the
plan among others in the Configuration Manager site. The description field is
optional, and has a limit of 256 characters.

4. On the Servicing Plan page, specify the Target Collection. Members of the
collection receive the Windows upgrades that the servicing plan defines.
 ） Important

When you deploy a high-risk deployment, such as servicing plan, the Select
Collection window displays only the custom collections that meet the
deployment verification settings. Configure these settings in the site
properties.

High-risk deployments are always limited to custom collections, collections

that you create, and the built-in Unknown Computers collection. When you
create a high-risk deployment, you can't select a built-in collection such as All
Systems. Uncheck Hide collections with a member count greater than the
site's minimum size configuration to see all custom collections that contain
fewer clients than the configured maximum size. For more information, see
Settings to manage high-risk deployments.

The deployment verification settings are based on the current membership of

the collection. After you deploy the servicing plan, the collection membership
isn't reevaluated for the high-risk deployment settings.

5. On the Deployment Ring page, configure the following settings:

Select one of the following options to specify the Windows readiness state to
which this servicing plan should apply:

Semi-Annual Channel (Targeted): In this servicing model, feature updates

are available as soon as Microsoft releases them.

Semi-Annual Channel: This servicing channel is typically used for broad

deployment. Windows 10 clients in the semi-annual channel receive the
same build of Windows 10 as those devices in the targeted channel, just at
a later time.

For more information about servicing channels and what options are best
for you, see Servicing channels.

How many days after Microsoft has published a new upgrade would you
like to wait before deploying in your environment: If the current date is after
the release date plus the number of days that you configure for this setting,
Configuration Manager evaluates whether to include an upgrade in the
deployment.

6. On the Upgrades page, configure the search criteria to filter the upgrades to add
the service plan. It only adds upgrades that meet the specified criteria to the
 associated deployment. The following property filters are available:

Architecture

Language

Product Category

Required

） Important

Set the Required field with a value of >=1 . Using this criteria makes sure
that only applicable updates are added to the servicing plan.

Superseded

Title

To view the upgrades that meet the specified criteria, select Preview.

7. On the Deployment Schedule page, configure the following settings:

Schedule evaluation: Specify how Configuration Manager evaluates the

available time and installation deadline times. It can either use UTC or the
local time of the computer that runs the Configuration Manager console.

７ Note

When you select local time, it uses the current time on the computer
running the Configuration Manager console. If you then select As soon
as possible for the Software available time or Installation deadline, it
uses the current local time to evaluate when the upgrade is available or
when a client installs it. If the client is in a different time zone, these
actions will occur when the client's time reaches the evaluation time.

Software available time: Select one of the following settings to specify when
the upgrade is available to clients:

As soon as possible: Make the upgrade available to clients right away.

When you create the deployment with this setting, Configuration Manager
updates the client policy. At the next client policy polling cycle, clients
 become aware of the deployment, and can install the upgrade. This setting
is the default and most common for the available time.

Specific time: Make the upgrade available to clients at a specific time

period after the servicing plan creates the deployment. When it creates the
deployment with this setting, Configuration Manager updates the client
policy. At the next client policy polling cycle, clients become aware of the
deployment. The upgrade isn't available to install until after this specified
date and time. Use this setting if you want to create the deployment
several days before clients see it.

Installation deadline: Select one of the following settings to specify when to

require clients to install the upgrade:

As soon as possible: Automatically install the upgrade right away. As soon

as clients get this deployment, the start the upgrade.

Specific time: Automatically install the upgrade at a specific time period

after the servicing plan creates the deployment. Configuration Manager
determines the deadline to install the upgrade by adding the configured
Specific time interval to the Software available time. This setting is the
default and most common for the installation deadline. By default it's
seven days. In other words, by default clients receive the upgrade
deployment at the next policy refresh, and have one week before it's
required.

７ Note

The actual installation deadline time is the displayed deadline interval

plus a random amount of time up to 2 hours. This randomization
reduces the potential impact of all clients in the collection installing
the upgrade at the same time.

Delay enforcement of this deployment according to user preferences, up

to the grace period defined on the client: Select this option to honor the
Grace period for enforcement after deployment deadline (hours) client
setting.

8. On the User Experience page, configure the following settings:

User notifications: Specify whether to display notification of the upgrade in

Software Center on the client at the available time. By default, it's set to Hide
in Software Center and all notifications.
 Deadline behavior: Specify the behavior after the deadline and outside of
any maintenance window. By default, the upgrade doesn't install and the
system won't restart outside of a window. For more information about
maintenance windows, see How to use maintenance windows.

Device restart behavior: Specify whether to suppress the restart after

Windows installs the upgrade. By default, the device restarts after the
upgrade.

Write filter handling for Windows Embedded devices: When you deploy an
upgrade to Windows Embedded devices that use a write filter, configure
when and how it commits the changes. When you deploy an upgrade to a
Windows Embedded device, make sure that the device is a member of a
collection that has a configured maintenance window.

Software updates deployment re-evaluation behavior upon restart: To force

another update deployment evaluation cycle after restart, select the option: If
any update in this deployment requires a system restart, run updates
deployment evaluation cycle after restart.

9. On the Deployment Package page, first select one of the following options:

Select a deployment package: Select Browse to choose an existing

deployment package for this upgrade content.

No deployment package: Clients download content from peers or the

Microsoft cloud.

Create a new deployment package and configure the following additional

settings:

a. Name: Specify the name of the deployment package. This name must be
unique and describes the package content. It's limited to 50 characters.

b. Description: Optionally specify a description that provides additional

information about the deployment package. The description is limited to
127 characters.

c. Package source: Specify the location of the source files. Type a network
path for the source location. For example: \\server\sharename\path . You
can also select Browse to find a network location.

Before you continue to the next page of the wizard, create the shared
folder for the deployment package source files.
 The location that you specify can't be used by another software
deployment package.

The SMS Provider computer account and the user that's running the
wizard to download the software updates must both have Write NTFS
permissions on the download location. To reduce the risk of attackers
tampering with the source files, restrict access to the download
location.

After Configuration Manager creates the deployment package, you can

change the package source location in the deployment package
properties. Before you change it, copy the content from the original
package source to the new location.

d. Sending priority: Specify the sending priority for the deployment package.
Configuration Manager uses the sending priority when it sends the
package to distribution points. It sends packages in priority order: high,
medium, or low. If packages have identical priorities, the site sends them in
the order in which you created them. If there's no backlog, the package
processes immediately.

e. Enable binary differential replication. For more information, see Binary

differential replication.

10. If you created a new deployment package, you'll see the Distribution Points page
next. Specify the distribution points or distribution point groups that host the
upgrade content. For more information about distribution points, see Configure a
distribution point.

11. If you selected an existing deployment package, you'll see the Download Location
page next. Select one of the following options:

Download software updates from the internet: The site server downloads
the upgrade content from the internet. This setting is the default.

Download software updates from a location on the local network:

Download the upgrade content from a local directory or shared folder. This
setting is useful when the computer that runs the wizard doesn't have
internet access. Any computer with internet access can preliminarily
download the upgrade content.

12. If you selected an existing deployment package, you'll also see the Language
Selection page. The site downloads the upgrade content for the languages that
 you select, only if they're available. By default, the wizard selects the languages
that you configured in the software update point properties.

13. On the Summary page, review the settings. Select Next to create the servicing plan
and complete the wizard.

After you complete the wizard, the site runs the servicing plan for the first time.

Modify a servicing plan

After you create a basic servicing plan from the Windows servicing dashboard, or you
need to change the settings for an existing servicing plan, go to properties for the
servicing plan.

７ Note

You can configure settings in the properties for the servicing plan that aren't
available in the wizard. The wizard uses default settings for the following areas:
download settings, deployment settings, and alerts.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Windows Servicing, and select the Servicing Plans node. Then select the
servicing plan that you want to modify.

2. On the Home tab of the ribbon, select Properties.

The following settings are available in the servicing plan properties that weren't
configured in the wizard:

Deployment Settings
Use Wake-on-LAN to wake up clients for required deployments: Enable Wake On
LAN at the deployment deadline. The site will send wake-up packets to computers
for the deployment. By default, this setting isn't enabled.

２ Warning

Before you can use this option, configure computers and networks for Wake
On LAN.
 Detail level: Specify the level of detail for the state messages that clients send to
the site.

Download Settings
Specify whether the client downloads and installs the upgrade when it's connected
to a slow network or is using a fallback content location.

Specify whether to have the client download and install the upgrade from a
fallback distribution point when the content isn't available on a preferred
distribution point.

Specify whether to have clients download the content from Microsoft Update, if it's
not available on distribution points.

） Important

Don't use this setting for Windows servicing updates. Configuration Manager
fails to download the Windows servicing updates from Microsoft Update.

Specify whether to allow clients to download after an installation deadline when

they use metered internet connections.

Alerts
Configure how Configuration Manager and System Center Operations Manager
generate alerts for this deployment.

You can review recent alerts from the Software Updates node in the Software Library
workspace.

Analyze SetupDiag errors

With the release of Windows 10, version 2004, the SetupDiag diagnostic tool is included
with Windows Setup. If there's an issue with the upgrade, SetupDiag automatically runs
to determine the cause of the failure.

Starting in version 2010, Configuration Manager gathers and summarizes SetupDiag

results from feature update deployments with Windows servicing.

The Windows Servicing dashboard in the Software Library workspace of the

Configuration Manager console includes a tile for Collection Errors. Each bar shows the
number of devices that failed with the specified error code. For more information, see
Windows upgrade error codes.

Each bar shows the number of devices that failed with the specified error code. For more
information, see Windows upgrade error codes.

Next steps
For more information, see Fundamentals of Configuration Manager as a service and
Windows as a service.
Monitor operating system deployments
in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Configuration Manager console provides the following ways to help you monitor
operating system deployment objects.

Alerts for operating system deployments

You can configure an alert in the task sequence deployment settings to notify
administrative users when compliance levels for the deployment are below the
configured percentage.

After you configure the alert settings, if the specified conditions occur, Configuration
Manager generates an alert. You can review task sequence deployment alerts at the
following locations:

1. Review recent alerts in the Operating Systems node in the Software Library
workspace.

2. Manage the configured alerts in the Alerts node in the Monitoring workspace.

Task sequence deployment status

After you deploy a task sequence, you can monitor the deployment status. Use the
following procedure to monitor the deployment status for a task sequence.

To monitor deployment status

1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, click Deployments.

3. Click the task sequence for which you want to monitor the deployment status.

4. On the Home tab, in the Deployment group, click View Status.

 Tip
 When an upgrade is initiated, status message 52200 is generated. This
contains the user that did the upgrade.
Starting in version 2203, you can perform client notification actions, including
Run Scripts, from the Deployment Status view.Use the right-click menu on
either a group of clients in a Category or a single client in the Asset details
pane to display the client notification actions.

Operating system deployment reports

There are many predefined operating system deployment reports available. They are
organized in several categories and can be used to report on specific information about
state migration and task sequence deployments. In addition to using the preconfigured
reports, you can also create custom software update reports according to the needs of
your enterprise. For more information, see Operations and maintenance for reporting.

Monitor content
You can monitor content in the Configuration Manager console to review the status for
all package types in relation to the associated distribution points. This can include the
content validation status for the content in the package, the status of content assigned
to a specific distribution point group, the state of content assigned to a distribution
point, and the status of optional features for each distribution point (content validation,
PXE, and multicast).

Content status monitoring

The Content Status node in the Monitoring workspace provides information about
content packages. You can review general information about the package, distribution
status for the package, and detailed status information about the package. Use the
following procedure to view content status.

To monitor content status

1. In the Configuration Manager console, click Monitoring.

2. In the Monitoring workspace, expand Distribution Status, and then click Content
Status. The packages are displayed.

3. Select the package for which to view detailed status information.

 4. On the Home tab, click View Status. Detailed status information for the package is
displayed.

Distribution point group status

The Distribution Point Group Status node in the Monitoring workspace provides
information about distribution point groups. You can review general information about
the distribution point group, such as distribution point group status and compliance
rate, as well as detailed status information for the distribution point group. Use the
following procedure to view distribution point group status.

To monitor distribution point group status

1. In the Configuration Manager console, click Monitoring.

2. In the monitoring workspace, expand Distribution Status, and then click

Distribution Point Group Status. The distribution point groups are displayed.

3. Select the distribution point group for which to view detailed status information.

4. On the Home tab, click View Status. Detailed status information for the
distribution point group is displayed.

Distribution point configuration status

The Distribution Point Configuration Status node in the Monitoring workspace
provides information about the distribution point. You can review which attributes are
enabled for the distribution point, such as the PXE, Multicast, and content validation.
You can also view detailed status information for the distribution point. Use the
following procedure to view distribution point configuration status.

To monitor distribution point configuration status

1. In the Configuration Manager console, click Monitoring.

2. In the monitoring workspace, expand Distribution Status, and then click

Distribution Point Configuration Status. The distribution points are displayed.

3. Select the distribution point for which to view distribution point status information.

4. In the results pane, click the Details tab. Status information for the distribution
point is displayed.
Debug a task sequence
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The task sequence debugger is a troubleshooting tool. You deploy a task sequence in
debug mode to a small collection. It lets you step through the task sequence in a
controlled manner to aid troubleshooting and investigation. The debugger currently
runs on the same device as the task sequence engine, it's not a remote debugger.

 Tip

This feature was first introduced in version 1906 as a pre-release feature. Beginning
with version 2203, it's no longer a pre-release feature.

Configuration Manager doesn't enable this optional feature by default. Before

using it, you need to enable this feature. For more information, see Enable optional
features from updates.

Prerequisites
Update the Configuration Manager client on the target device

Sign in to the target device as a user in the local Administrators group. The
debugger only runs for administrators.

Update the boot image associated with the task sequence to make sure it has the
latest client version

Start the tool

1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and select Task Sequences.

2. Select a task sequence. In the Deployment group of the ribbon, select Debug.

 Tip

Alternatively, set the variable TSDebugMode to TRUE on a collection or

computer object to which the task sequence is deployed. Any device that has
 this variable set will put any task sequence deployed to it into debug mode.

3. Create a debug deployment. The deployment settings are the same as a normal
task sequence deployment. For more information, see Deploy a task sequence.

７ Note

You can only select a small collection for a debug deployment. It only displays
device collections with 10 or less members.

Use the task sequence variable TSDebugOnError to automatically start the debugger
when the task sequence returns an error. For more information, see Task sequence
variables - TSDebugOnError.

Use the tool

When the task sequence runs on the device, the Task Sequence Debugger window
opens similar to the following screenshot:
The debugger includes the following controls:

Step: From the current position, run only the next step in the task sequence.

７ Note

When the task sequence is in debug mode, if a step returns a fatal error, the
task sequence doesn't fail as normal. This behavior gives you the option to
retry a step after you make an external change.

Run: From the current position, run the task sequence normally to the end, the
next break point, or if a step fails. Before you use this action, make sure to set any
break points with the Set Break action.

Set Current: Select a step in the debugger and then select Set Current. This action
moves the current pointer to that step. This action allows you to skip steps or move
backwards.

２ Warning

The debugger doesn't consider the type of step when you change the current
position in the sequence. Some steps may set task sequence variables that are
required for condition evaluation by later steps. If run out of order, some
steps may fail or cause significant damage to a device. Use this option at your
own risk.

Set Break: Select a step in the debugger and then select Set Break. This action
adds a break point in the debugger. When you Run the task sequence, it stops at a
break.

Before you use the Run action, set break points.

If you create a break point in the debugger, and then the task sequence restarts
the computer, the debugger keeps your break points after restart.

Clear All Breaks: Remove all break points.

Log File: Opens the current task sequence log file, smsts.log, with CMTrace. You
can see log entries when the task sequence engine is "Waiting for the debugger."

Cmd Prompt: In Windows PE, opens a command prompt.

Cancel: Close the debugger, and fail the task sequence.

 Quit: Detach and close the debugger, but the task sequence continues to run
normally.

The Task Sequence Variables window shows the current values for all variables in the
task sequence environment. For more information, see Task sequence variables. If you
use the Set Task Sequence Variable step with the option to Do not display this value,
the debugger doesn't display the variable value. You can't edit the variable values in the
debugger.

７ Note

Some task sequence variables are for internal use only, and not listed in the
reference documentation.

The task sequence debugger continues to run after a Restart Computer step. The
debugger keeps your break points after restart. Even though the task sequence may not
require it, since the debugger requires user interaction, you need to sign in to Windows
to continue. If you don't sign in after one hour to continue debugging, the task
sequence fails.

It also steps into a child task sequence with the Run Task Sequence step. The debugger
window shows the steps of the child task sequence along with the main task sequence.

Known issues
If you target both a normal deployment and debug deployment to the same device
through multiple deployments, the task sequence debugger may not launch.

See also
About task sequence steps
Task sequence variables
How to use task sequence variables
Deploy a task sequence
Configure pre-cache content for task
sequences
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The pre-cache feature for available deployments of task sequences lets clients download
relevant content before a user installs the task sequence. The client can pre-cache
content for task sequences that upgrade an OS or install an OS image.

For example, you only want a single in-place upgrade task sequence for all users, and
have many architectures and languages. In previous versions, the content starts to
download when the user installs an available task sequence deployment from Software
Center. This delay adds more time before the installation is ready to start. All content
referenced in the task sequence is downloaded. This content includes the OS upgrade
package for all languages and architectures. If each upgrade package is roughly 3 GB in
size, the total content is very large.

Pre-cache content gives you the option for the client to only download the applicable
content and all other referenced content as soon as it receives the deployment. When
the user selects Install in Software Center, the content is ready. The installation starts
quickly because the content is on the local hard drive.

Use pre-caching to reduce bandwidth consumption of the following content types:

OS upgrade packages
OS images
Driver packages
Packages

７ Note

Starting in version 2103, if you use a feature update with the Upgrade OS task
sequence step, the option to Pre-download content for this task sequence doesn't
apply to feature updates.

Configure pre-caching
There are three steps to configure the pre-cache feature:
 1. Create and configure the packages
2. Create a task sequence with conditional steps
3. Deploy the task sequence and enable pre-caching

1. Create and configure the packages

The client evaluates attributes of the packages to determine which content it downloads
during pre-caching.

OS upgrade package
Create OS upgrade packages for specific architectures and languages. Specify the
Architecture and Language on the Data Source tab of its properties.

OS image

Create OS images for specific architectures and languages. Specify the Architecture and
Language on the Data Source tab of its properties.

Driver package

Create driver packages for specific hardware models. Specify the Model on the General
tab of its properties.

To determine which driver package it downloads during pre-caching, the client evaluates
the model against the Name property of the Win32_ComputerSystemProduct WMI
class.

 Tip

The actual query uses a LIKE statement with wildcards: select * from
win32_computersystemproduct where name like "%yourstring%" . For example, if you
specify Surface as the model, the query matches all models that include that string.

Package
Create packages for specific architectures and languages. Specify the Architecture and
Language on the General tab of its properties.
2. Create a task sequence
Create a task sequence with conditional steps for the different languages and
architectures, or different hardware models for driver packages.

Content Step

OS upgrade package Upgrade OS

OS image Apply OS Image

Driver package Apply Driver Package

Package Install Package

For example, the following Upgrade OS step uses the English version:
  Tip

The following WMI query is recommended for the English (United States) OS and
64-bit architecture:

WMI

SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture LIKE '%64%'

AND OSLanguage='1033'

First add the language by selecting the Operating System Language condition.
Then edit the WMI query to include the architecture clause.

3. Deploy the task sequence

Deploy the task sequence. For the pre-cache feature, configure the following settings:

On the General tab, select Pre-download content for this task sequence.
 ７ Note

Starting in version 2103, if you use a feature update with the Upgrade OS task
sequence step, this option doesn't apply to feature updates.

On the Deployment settings tab, configure the task sequence as Available.

On the Scheduling tab, choose the currently selected time for the setting,
Schedule when this deployment will be available. The client starts pre-caching
content at the deployment's available time. When a targeted client receives this
policy, the available time is in the past, so pre-cache download starts right away. If
the client receives this policy but the available time is in the future, the client
doesn't start pre-caching content until the available time occurs.

On the Distribution Points tab, configure the Deployment options settings. If the
content isn't pre-cached before a user starts the installation, the client uses these
settings.

） Important

For a task sequence that installs an OS image, don't use the deployment
option to Download content locally when needed by the running task
sequence. When the task sequence wipes the disk before it applies the OS
image, it removes the client cache. Since the content is gone, the task
sequence fails. These deployment options are dynamic based on other
options you select for the deployment. For more information, see Deploy a
task sequence.

User experience
When the client receives the deployment policy, it starts to pre-cache the content
after the deployment's available time. This content includes all referenced
packages, but only the OS upgrade package that matches the architecture and
language attributes on the package.

When the client makes the deployment available to users, a notification displays to
inform users about the new deployment. Now the task sequence is visible in
Software Center. The user can go to Software Center and select Install to start the
installation.
 If the client hasn't fully pre-cached the content when the user installs the task
sequence, then the client uses the settings that you specify for the Deployment
options on the Distribution Points tab of the deployment.

See also
Create a task sequence to upgrade an OS

Scenario to upgrade Windows to the latest version

Create task sequence media
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can use media to capture an OS image from a reference computer or to deploy an
OS to a destination computer in your Configuration Manager environment. The media
that you create can be a CD, DVD set, or a USB flash drive.

Media is used mostly to deploy an OS on computers that don't have a network

connection or that have a low-bandwidth connection to the site. However, you can also
use media to start an OS deployment outside of an existing Windows OS. This method is
useful when there's no OS, the OS isn't working, or you want to repartition the disk.

Deployment media includes bootable media, standalone media, and prestaged media.
The content of the media varies, depending on what type of media that you use. For
example, standalone media contains the task sequence that deploys the OS. Other types
of media retrieve task sequences from the management point.

） Important

To create task sequence media, you must be an administrator on the computer

where you run the Configuration Manager console. If you're not an administrator,
you're prompted for administrator credentials when you start the Create Task
Sequence Media wizard.

Capture media
Capture media allows you to capture an OS image from a reference computer. Capture
media contains the boot image that starts the reference computer and the task
sequence that captures the OS image.

Bootable media
Bootable media contains the following components:

The boot image

Optional prestart commands and their required files
Configuration Manager binaries
When the destination computer starts, it connects to the network and retrieves the task
sequence, the OS image, and any other required content from the network. Because the
task sequence isn't on the media, you can change the task sequence or content without
having to recreate the media.

） Important

The packages on bootable media aren't encrypted. Take appropriate security

measures, such as adding a password to the media, to make sure that the package
contents are secured from unauthorized users.

Starting in version 2006, bootable media can download cloud-based content. The device
still needs an intranet connection to the management point. It can get content from a
content-enabled cloud management gateway (CMG). For more information, see
Bootable media support for cloud-based content.

Prestaged media
Prestaged media allows you to apply bootable media and an OS image to a hard disk
before the provisioning process. The prestaged media is a Windows Image (WIM) file.
The manufacturer can install it to the bare-metal computer during their build process.
Or you can use it in a staging center that's not connected to the production
Configuration Manager environment.

Prestaged media contains the boot image used to start the destination computer and
the OS image that's applied to the destination computer. You can also specify
applications, packages, and driver packages to include as part of the prestaged media.
The task sequence that deploys the OS isn't included in the media. When you deploy a
task sequence that uses prestaged media, the client checks the local task sequence
cache for valid content first. If the content can't be found or has been revised, the client
downloads the content from a distribution point or peer.

You apply prestaged media to the hard drive of a new computer before you send the
computer to the user. When the computer starts for the first time after you've applied
the prestaged media, the computer starts in Windows PE. It connects to a management
point to locate the task sequence that completes the OS deployment process.

） Important

The packages on prestaged media aren't encrypted. Take appropriate security

measures, such as adding a password to the media, to make sure that the package
 contents are secured from unauthorized users.

Standalone media
Standalone media contains everything that's required to deploy the OS. This content
includes the task sequence and any other required content. Because everything is on the
media, the required disk space is larger than for other types of media.

Considerations when using HTTPS

When you configure your management points and distribution points to use HTTPS,
create boot media and prestaged media at a primary site, not the central administration
site. Also, consider the following point to help you determine whether to configure the
media as dynamic or site-based:

To configure the media as dynamic media, all primary sites must have the root
certificate authority (CA) of the site from which you created the media. You can
import the root CA to all primary sites in your hierarchy.

When primary sites in your Configuration Manager hierarchy use different root
CAs, you must use site-based media at each site.

Next steps
Create capture media

Create bootable media

Create prestaged media

Create standalone media

Create stand-alone media
Article • 02/15/2023

Applies to: Configuration Manager (current branch)

Stand-alone media in Configuration Manager contains everything required to deploy

the OS on a computer without a network connection.

Use stand-alone media with the following OS deployment scenarios:

Refresh an existing computer with a new version of Windows

Install a new version of Windows on a new computer (bare metal)

Upgrade Windows to the latest version

Usage
Stand-alone media includes the task sequence that automates the steps to install the
OS, and all other required content. This content includes the boot image, OS image, and
device drivers. Because the stand-alone media stores everything to deploy the OS, it
requires more disk space than required for other types of media.

When you create stand-alone media on a CAS, the client retrieves its assigned site code
from Active Directory. Stand-alone media created at child sites automatically assigns to
the client the site code for that site.

Prerequisites
Before you create stand-alone media by using the Create Task Sequence Media Wizard,
be sure that all of these conditions are met.

Create a task sequence to deploy an OS

As part of the stand-alone media, specify the task sequence to deploy an OS. For more
information, see Create a task sequence to install an OS.

Unsupported actions for stand-alone media

The following actions aren't supported for stand-alone media:

 The Auto Apply Drivers step in the task sequence. Stand-alone media doesn't
support automatic application of device drivers from the driver catalog. Use the
Apply Driver Package step to make a specified set of drivers available to Windows
Setup.

The Download Package Content step in the task sequence. The management point
information isn't available on stand-alone media, so the step fails trying to
enumerate content locations.

Installing software updates.

Installing software before deploying the OS.

Custom task sequences for non-OS deployments.

Associating users with the destination computer to support user device affinity.

Dynamic package installs via the Install Packages step.

Dynamic application installs via the Install Application step.

The Use pre-production client package when available setting in the Setup
Windows and ConfigMgr task sequence step. For more information about this
setting, see Setup Windows and ConfigMgr.

Known issue with Install Package step and media created at the
central administration site
An error might occur if your task sequence includes the Install Package step and you
create the stand-alone media at a central administration site (CAS). The CAS doesn't
have the necessary client configuration policies. These policies are required to enable
the software distribution agent when the task sequence runs. The following error might
appear in the CreateTsMedia.log file: WMI method
SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, create the stand-alone
media at a primary site that has the software distribution agent enabled.

Alternatively, use a custom Run PowerShell Script step. Add it after the Setup Windows
and ConfigMgr step and before the first Install Package step. The Run PowerShell
Script step runs the following commands to enable the software distribution agent
before the first Install Package step:

PowerShell
 $namespace = "root\ccm\policy\machine\requestedconfig"

$class = "CCM_SoftwareDistributionClientConfig"

$classArgs = @{

ComponentName = 'Enable SWDist'

Enabled = 'true'

LockSettings='TRUE'

PolicySource='local'

PolicyVersion='1.0'

SiteSettingsKey='1'

Set-WmiInstance -Namespace $namespace -Class $class -Arguments $classArgs -

PutType CreateOnly

Distribute all content associated with the task sequence

Distribute all content that the task sequence requires to at least one distribution point.
This content includes the boot image, OS image, and other associated files. The wizard
gathers the content from the distribution point when it creates the media.

Your user account needs at least Read access rights to the content library on that
distribution point. For more information, see Distribute content.

Prepare the removable USB drive

If you're using a removable USB drive, connect it to the computer where you run the
Create Task Sequence Media wizard. The USB drive must be detectable by Windows as a
removal device. The wizard writes directly to the USB drive when it creates the media.

Stand-alone media uses a FAT32 file system. You can't create stand-alone media on a
removable USB drive whose content contains a file over 4 GB in size. This doesn't
include WIM files since Configuration Manager will split WIM files over 4 GB so that they
are under 4 GB and compatible with FAT32 files systems.

Create an output folder

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD
set, create a folder for the output files it creates. Media that it creates for a CD or DVD
set is written as an .ISO file directly in the folder.

Process
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence
Media. This action starts the Create Task Sequence Media Wizard.

3. On the Select Media Type page, specify the following options:

Select Stand-alone media.

Optionally, if you want to only allow the OS to be deployed without requiring

user input, select Allow unattended operating system deployment.

） Important

When you select this option, the user isn't prompted for network
configuration information or for optional task sequences. If you
configure the media for password protection, the user is still prompted
for a password.

4. On the Media Type page, specify whether the media is a Removable USB drive or
a CD/DVD set. Then configure the following options:

） Important

Media uses a FAT32 file system. You can't create media on a USB drive whose
content contains a file over 4 GB in size. This doesn't include WIM files since
Configuration Manager will split WIM files over 4 GB so that they are under 4
GB and compatible with FAT32 files systems.

If you select Removable USB drive, select the drive where you want to store
the content.
Format removable USB drive (FAT32) and make bootable: By default, let
Configuration Manager prepare the USB drive. Many newer UEFI devices
require a bootable FAT32 partition. However, this format also limits the
size of files and overall capacity of the drive. If you've already formatted
and configured the removable drive, disable this option.

） Important

It is important when creating stand-alone media on a removable USB

drive that the removable USB drive is created directly via the
Configuration Manager console using the Removable USB drive option.
Creating an ISO via the CD/DVD set option and then copying the
 contents of the mounted ISO to a removable USB drive formatted FAT32
may not work since WIM files over 4 GB may not be split when using the
CD/DVD set option. FAT32 does not support files over 4 GB. Stand-alone
media on removable USB drives need to be formatted FAT32 so that
they are bootable on UEFI devices. UEFI devices will only boot from
FAT32 volumes.

If you select CD/DVD set, specify the capacity of the media (Media size) and
the name and path of the output file (Media file). The wizard writes the
output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates
multiple files. Then you need to store the content on multiple CDs or DVDs.
When it requires multiple media files, Configuration Manager adds a
sequence number to the name of each output file that it creates.

If you deploy an application along with the OS, and the application can't fit
on a single media, Configuration Manager stores the application across
multiple media. When the stand-alone media is run, Configuration Manager
prompts the user for the next media where the application is stored.

） Important

If you select an existing .iso image, the Task Sequence Media Wizard
deletes that image from the drive or share as soon as you proceed to
the next page of the wizard. The existing image is deleted, even if you
then cancel the wizard.

Staging folder: The media creation process can require a lot of temporary
drive space. By default this location is similar to the following path:
%UserProfile%\AppData\Local\Temp . To give you greater flexibility with where
to store these temporary files, change this value to another drive and path.

Media label: Add a label to task sequence media. This label helps you better
identify the media after you create it. The default value is Configuration
Manager . This text field appears in the following locations:

If you mount an ISO file, Windows displays this label as the name of the
mounted drive
 If you format a USB drive, it uses the first 11 characters of the label as its
name

Configuration Manager writes a text file called MediaLabel.txt to the root

of the media. By default, the file includes a single line of text:
label=Configuration Manager . If you customize the label for media, this

line uses your custom label instead of the default value.

Include autorun.inf file on media: Configuration Manager doesn't add an

autorun.inf file by default. This file is commonly blocked by antimalware
products. For more information on the AutoRun feature of Windows, see
Creating an AutoRun-enabled CD-ROM Application. If still necessary for your
scenario, select this option to include the file.

5. On the Security page, specify the following options:

Protect media with a password: Enter a strong password to help protect the
media from unauthorized access. When you specify a password, the user
must provide that password to use the media.

） Important

As a security best practice, always assign a password to help protect the

media.

On stand-alone media, it only encrypts the task sequence steps and their
variables. It doesn't encrypt the remaining content of the media. Don't
include any sensitive information in task sequence scripts. Store and
implement all sensitive information by using task sequence variables.

Select date range for this stand-alone media to be valid: Set optional start
and expiration dates on the media. This setting is disabled by default. The
dates are compared to the system time on the computer before the stand-
alone media runs. When the system time is earlier than the start time or later
than the expiration time, the stand-alone media doesn't start. These options
are also available by using the New-CMStandaloneMedia PowerShell cmdlet.

6. On the Stand-Alone CD/DVD page, select the task sequence that deploys the OS.
You can only select those task sequences that are associated with a boot image.
Verify the list of content referenced by the task sequence.

Detect associated application dependencies and add them to this media:

Also add content to the media for application dependencies.
  Tip

If you don't see expected application dependencies, deselect and then

reselect this option to refresh the list.

7. On the Select Application page, specify additional application content to include

as part of the media file.

8. On the Select Package page, specify additional package content to include as part
of the media file.

9. On the Select Driver Package page, specify additional driver package content to
include as part of the media file.

10. On the Distribution Points page, specify the distribution points that contain the
required content.

Configuration Manager only displays distribution points that have the content.
Distribute all of the content associated with the task sequence to at least one
distribution point before you continue. After you distribute the content, refresh the
distribution point list. Remove any distribution points that you already selected on
this page, go to the previous page, and then back to the Distribution Points page.
Alternatively, restart the wizard. For more information, see Distribute referenced
content and Manage content and content infrastructure.

11. On the Customization page, specify the following options:

Add any variables that the task sequence uses.

Enable prestart command: Specify any prestart commands that you want to
run before the task sequence runs. Prestart commands are a script or an
executable that can interact with the user in Windows PE before the task
sequence runs. For more information, see Prestart commands for task
sequence media.

 Tip

During media creation, the task sequence writes the package ID and
prestart command-line, including the value for any task sequence
variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the
value for the task sequence variables.
 If the prestart command requires any content, select the option to Include
files for the prestart command.

12. Complete the wizard.

The stand-alone media files (.ISO) are created in the destination folder. If you selected
CD/DVD set, copy the output files to a set of CDs or DVDs.

Next steps
Use stand-alone media to deploy Windows without using the network
Create prestaged media
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Prestaged media in Configuration Manager is a Windows Image (WIM) file. It can be

installed on a bare-metal computer by the manufacturer or at your staging center that's
not connected to the production Configuration Manager environment. Prestaged media
contains the boot image used to start the destination computer and the OS image that's
applied to the destination computer. You can also specify applications, packages, and
driver packages to include as part of the prestaged media. The task sequence that
deploys the OS isn't included in the media. Prestaged media is applied to the hard drive
of a new computer before the computer is sent to the end user.

Use prestaged media for the following OS deployment scenarios:

Create an image for an OEM in factory or a local depot

Install a new version of Windows on a new computer (bare metal)

Deploy Windows to Go

Usage
When the computer starts for the first time after you've applied the prestaged media,
the computer starts in Windows PE. It connects to a management point to locate the
task sequence that completes the OS deployment process. When you deploy a task
sequence that uses prestaged media, the client checks the local task sequence cache for
valid content first. If the content can't be found or has been revised, the client
downloads the content from a distribution point or peer.

Prerequisites
Before you create prestaged media by using the Create Task Sequence Media Wizard, be
sure that all of the conditions are met.

Boot image
Consider the following points about the boot image that you use in the task sequence
to deploy the OS:
 The architecture of the boot image must be appropriate for the architecture of the
destination computer. For example, an x64 destination computer can boot and run
an x86 or x64 boot image. However, an x86 destination computer can boot and
run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are
required to provision the destination computer.

Create a task sequence to deploy an OS

As part of the prestaged media, specify the task sequence to deploy the OS. For more
information, see Create a task sequence to install an OS.

Distribute all content associated with the task sequence

Distribute all content that the task sequence requires to at least one distribution point.
This content includes the boot image, OS image, and other associated files. The wizard
gathers the content from the distribution point when it creates the prestaged media.

Your user account needs at least Read access rights to the content library on that
distribution point. For more information, see Distribute content.

Hard drive on the destination computer

The hard drive of the destination computer must be formatted before the prestaged
media is applied to it. If the hard drive isn't formatted when the media is applied, the
task sequence that deploys the OS fails when it attempts to start the destination
computer.

７ Note

The Create Task Sequence Media Wizard sets the following task sequence variable
condition on the media: _SMSTSMediaType = OEMMedia. You can use this same
condition in your task sequence.

Process

７ Note
For PKI environments, since the Root CA is specified at the Primary site, make sure
the prestaged media is created at the Primary site. The CAS site does not have the
Root CA information to properly create the prestaged media.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence
Media. This action starts the Create Task Sequence Media Wizard.

3. On the Select Media Type page, specify the following options:

Select Prestaged media.

Optionally, if you want to only allow the OS to be deployed without requiring

user input, select Allow unattended operating system deployment.

） Important

When you select this option, the user isn't prompted for network
configuration information or for optional task sequences. If you
configure the media for password protection, the user is still prompted
for a password.

4. On the Media Management page, specify one of the following options:

Dynamic media: Allow a management point to redirect the media to another

management point, based on the client location in the site boundaries.

Site-based media: The media only contacts the specified management point.

5. On the Media Properties page, specify the following information:

Created by: Specify who created the media.

Version: Specify the version number of the media.

Comment: Specify a unique description of what the media is used for.

Media file: Specify the name and path of the output files. The wizard writes
the output files to this location. For example:
\\servername\folder\outputfile.wim
 Staging folder: The media creation process can require a lot of temporary
drive space. By default this location is similar to the following path:
%UserProfile%\AppData\Local\Temp . To give you greater flexibility with where

to store these temporary files, change this value to another drive and path.

6. On the Security page, specify the following options:

Enable unknown computer support: Allow the media to deploy an OS to a

computer that's not managed by Configuration Manager. There's no record
of these computers in the Configuration Manager database. For more
information, see Prepare for unknown computer deployments.

Protect media with a password: Enter a strong password to help protect the
media from unauthorized access. When you specify a password, the user
must provide that password to use the prestaged media.

） Important

As a security best practice, always assign a password to help protect the

prestaged media.

For HTTP communications, select Create self-signed media certificate. Then

specify the start and expiration date for the certificate.

７ Note

If you select this option HTTPS management points will not be available
for selection on the Boot image page of this wizard.

For HTTPS communications, select Import PKI certificate. Then specify the
certificate to import and its password.

For more information about this client certificate that boot images use, see
PKI certificate requirements.

User device affinity: To support user-centric management in Configuration

Manager, specify how you want the media to associate users with the
destination computer. For more information about how OS deployment
supports user device affinity, see Associate users with a destination computer.

Allow user device affinity with auto-approval: The media automatically

associates users with the destination computer. This functionality is based
 on the actions of the task sequence that deploys the OS. In this scenario,
the task sequence creates a relationship between the specified users and
destination computer when it deploys the OS to the destination computer.

Allow user device affinity pending administrator approval: The media

associates users with the destination computer after approval is granted.
This functionality is based on the scope of the task sequence that deploys
the OS. In this scenario, the task sequence creates a relationship between
the specified users and the destination computer, but waits for approval
from an administrative user before the OS is deployed.

Do not allow user device affinity: The media doesn't associate users with
the destination computer. In this scenario, the task sequence doesn't
associate users with the destination computer when it deploys the OS.

7. On the Task Sequence page, select the task sequence that runs on the destination
computer. Verify the list of content referenced by the task sequence.

Detect associated application dependencies and add them to this media:

Also add content to the media for application dependencies.

 Tip

If you don't see expected application dependencies, deselect and then

reselect this option to refresh the list.

8. On the Boot image page, specify the following options:

） Important

The architecture of the boot image that you distribute must be appropriate
for the architecture of the destination computer. For example, an x64
destination computer can boot and run an x86 or x64 boot image. However,
an x86 destination computer can boot and run only an x86 boot image.

Boot image: Select the boot image to start the destination computer.

Distribution point: Select the distribution point that has the boot image. The
wizard retrieves the boot image from the distribution point and writes it to
the media.

７ Note
 Your user account needs at least Read permissions to the content library
on the distribution point.

Management point: Only for site-based media, select a management point

from a primary site.

Associated management points: Only for dynamic media, select the primary
site management points to use, and a priority order for the initial
communication.

７ Note

HTTPS enabled management points will only be displayed when a PKI

certificate is specified in the Security page of this wizard.

9. On the Images page, specify the following options:

Image package: Specify the OS image to use. For more information, see
Manage OS images.

Image index: If the package contains multiple OS images, specify the index of
the image to deploy.

Distribution point: Specify the distribution point that has the OS image
package. The wizard gets the OS image from the distribution point and writes
it to the media.

10. On the Select Application page, select additional applications to add to the
prestaged media file.

11. On the Select Package page, select additional packages to add to the prestaged
media file.

12. On the Select Driver Package page, select additional driver packages to add to the
prestaged media file.

13. On the Distribution Points page, select one or more distribution points from which
to get content.

Configuration Manager only displays distribution points that have the content.
Distribute all of the content associated with the task sequence to at least one
distribution point before you continue. After you distribute the content, refresh the
distribution point list. Remove any distribution points that you already selected on
 this page, go to the previous page, and then back to the Distribution Points page.
Alternatively, restart the wizard. For more information, see Distribute referenced
content and Manage content and content infrastructure.

14. On the Customization page, specify the following options:

Add any variables that the task sequence uses.

Enable prestart command: Specify any prestart commands that you want to
run before the task sequence runs. Prestart commands are a script or an
executable that can interact with the user in Windows PE before the task
sequence runs. For more information, see Prestart commands for task
sequence media.

 Tip

During media creation, the task sequence writes the package ID and
prestart command-line, including the value for any task sequence
variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the
value for the task sequence variables.

If the prestart command requires any content, select the option to Include
files for the prestart command.

15. Complete the wizard.

Next steps
Create an image for an OEM in factory or a local depot
Create bootable media
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Bootable media in Configuration Manager contains the boot image, optional prestart
commands and associated files, and Configuration Manager files. Use bootable media
for the following OS deployment scenarios:

Install a new version of Windows on a new computer (bare metal)

Replace an existing computer and transfer settings

Usage
The following process occurs when you boot to bootable media:

1. The destination computer starts

2. It connects to the network

3. It retrieves the following content from the site:

The specified task sequence

OS image

Any other required content

Because the task sequence isn't on the media, you can change the task sequence or
content without having to recreate the media.

The packages on bootable media aren't encrypted. To make sure that the package
contents are secured from unauthorized users, take appropriate security measures. For
example, add a password to the media.

Starting in version 2006, bootable media can download cloud-based content. The device
still needs an intranet connection to the management point. It can get content from a
content-enabled cloud management gateway (CMG). For more information, see
Bootable media support for cloud-based content.

Prerequisites
Before you create bootable media by using the Create Task Sequence Media Wizard, be
sure that all of these conditions are met.

Boot image
Consider the following points about the boot image that you use in the task sequence
to deploy the OS:

The architecture of the boot image must be appropriate for the architecture of the
destination computer. For example, an x64 destination computer can boot and run
an x86 or x64 boot image. However, an x86 destination computer can boot and
run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are
required to provision the destination computer.

Create a task sequence to deploy an OS

As part of the bootable media, specify the task sequence to deploy the OS. For more
information, see Create a task sequence to install an OS.

Distribute all content associated with the task sequence

Distribute all content that the task sequence requires to at least one distribution point.
This content includes the boot image and other associated prestart files. The wizard
gathers the content from the distribution point when it creates the bootable media.

Your user account needs at least Read access rights to the content library on that
distribution point. For more information, see Distribute content.

Prepare the removable USB drive

If you're using a removable USB drive, connect it to the computer where you run the
Create Task Sequence Media wizard. The USB drive must be detectable by Windows as a
removal device. The wizard writes directly to the USB drive when it creates the media.

Create an output folder

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD
set, create a folder for the output files it creates. Media that it creates for a CD or DVD
set is written as an .ISO file directly in the folder.
Process

７ Note

For PKI environments, since you specify the root certificate authority (CA) at the
primary site, make sure to create the bootable media at the primary site. The
central administration site (CAS) doesn't have the root CA information to properly
create the bootable media. For more technical information on this issue, see
Sending with winhttp failed 80072f8f error in Smsts.log during OS deployment
by using bootable or prestaged media.

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence
Media. This action starts the Create Task Sequence Media Wizard.

3. On the Select Media Type page, specify the following options:

Select Bootable media.

Optionally, if you want to only allow the OS to be deployed without requiring

user input, select Allow unattended operating system deployment.

） Important

When you select this option, the user isn't prompted for network
configuration information or for optional task sequences. If you
configure the media for password protection, the user is still prompted
for a password.

4. On the Media Management page, specify one of the following options:

Dynamic media: Allow a management point to redirect the media to another

management point, based on the client location in the site boundaries.

Site-based media: The media only contacts the specified management point.

5. On the Media Type page, specify whether the media is a Removable USB drive or
a CD/DVD set. Then configure the following options:

） Important
Media uses a FAT32 file system. You can't create media on a USB drive whose
content contains a file over 4 GB in size.

If you select Removable USB drive, select the drive where you want to store
the content.
Format removable USB drive (FAT32) and make bootable: By default, let
Configuration Manager prepare the USB drive. Many newer UEFI devices
require a bootable FAT32 partition. However, this format also limits the
size of files and overall capacity of the drive. If you've already formatted
and configured the removable drive, disable this option.

If you select CD/DVD set, specify the capacity of the media (Media size) and
the name and path of the output file (Media file). The wizard writes the
output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates
multiple files. Then you need to store the content on multiple CDs or DVDs.
When it requires multiple media files, Configuration Manager adds a
sequence number to the name of each output file that it creates.

） Important

If you select an existing .iso image, the Task Sequence Media Wizard
deletes that image from the drive or share as soon as you proceed to
the next page of the wizard. The existing image is deleted, even if you
then cancel the wizard.

Staging folder: The media creation process can require much temporary
drive space. By default this location is similar to the following path:
%UserProfile%\AppData\Local\Temp . To give you greater flexibility with where

to store these temporary files, you can change this value to another drive and
path.

Media label: Add a label to task sequence media. This label helps you better
identify the media after you create it. The default value is Configuration
Manager . This text field appears in the following locations:

If you mount an ISO file, Windows displays this label as the name of the
mounted drive.
 If you format a USB drive, it uses the first 11 characters of the label as its
name.

Configuration Manager writes a text file called MediaLabel.txt to the root

of the media. By default, the file includes a single line of text:
label=Configuration Manager . If you customize the label for media, this

line uses your custom label instead of the default value.

Include autorun.inf file on media: Configuration Manager doesn't add an

autorun.inf file by default. This file is commonly blocked by antimalware
products. For more information on the AutoRun feature of Windows, see
Creating an AutoRun-enabled CD-ROM Application. If still necessary for your
scenario, select this option to include the file.

6. On the Security page, specify the following options:

Enable unknown computer support: Allow the media to deploy an OS to a

computer that's not managed by Configuration Manager. There's no record
of these computers in the Configuration Manager database. For more
information, see Prepare for unknown computer deployments.

Protect media with a password: Enter a strong password to help protect the
media from unauthorized access. When you specify a password, the user
must provide that password to use the bootable media.

） Important

As a security best practice, always assign a password to help protect the

bootable media.

For HTTP communications, select Create self-signed media certificate. Then

specify the start and expiration date for the certificate.

７ Note

If you select this option, you can't select any HTTPS management point
on the Boot image page of this wizard.

For HTTPS communications, select Import PKI certificate. Then specify the
certificate to import and its password.
 For more information about this client certificate that boot images use, see
PKI certificate requirements.

User device affinity: To support user-centric management in Configuration

Manager, specify how you want the media to associate users with the
destination computer. For more information about how OS deployment
supports user device affinity, see Associate users with a destination computer.

Allow user device affinity with auto-approval: The media automatically

associates users with the destination computer. This functionality is based
on the actions of the task sequence that deploys the OS. In this scenario,
the task sequence creates a relationship between the specified users and
destination computer when it deploys the OS to the destination computer.

Allow user device affinity pending administrator approval: The media

associates users with the destination computer after approval is granted.
This functionality is based on the scope of the task sequence that deploys
the OS. In this scenario, the task sequence creates a relationship between
the specified users and the destination computer. It then waits for
approval from an administrative user before it deploys the OS.

Do not allow user device affinity: The media doesn't associate users with
the destination computer. In this scenario, the task sequence doesn't
associate users with the destination computer when it deploys the OS.

7. On the Boot image page, specify the following options:

） Important

The architecture of the boot image that you distribute must be appropriate
for the architecture of the destination computer. For example, an x64
destination computer can boot and run an x86 or x64 boot image. However,
an x86 destination computer can only boot and run an x86 boot image.

Boot image: Select the boot image to start the destination computer.

Distribution point: Select the distribution point that has the boot image. The
wizard retrieves the boot image from the distribution point and writes it to
the media.

７ Note
 Your user account needs at least Read permissions to the content library
on the distribution point.

Management point: Only for site-based media, select a management point

from a primary site.

Associated management points: Only for dynamic media, select the primary
site management points to use, and a priority order for the initial
communication.

７ Note

When you specify a PKI certificate on the Security page of this wizard,
this page only displays HTTPS-enabled management points.

8. On the Customization page, specify the following options:

Add any variables that the task sequence uses.

Enable prestart command: Specify any prestart commands that you want to
run before the task sequence runs. Prestart commands are a script or an
executable that can interact with the user in Windows PE before the task
sequence runs. For more information, see Prestart commands for task
sequence media.

 Tip

During media creation, the task sequence writes the package ID and
prestart command-line, including the value for any task sequence
variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the
value for the task sequence variables.

If the prestart command requires any content, select the option to Include
files for the prestart command.

9. Complete the wizard.

Alternate method
You can create bootable media on a removable USB drive when the drive isn't
connected to the computer running the Configuration Manager console.

1. Create the task sequence boot media. On the Media type page, select CD/DVD
set. The wizard writes the output files to the location that you specify. For example:
\\servername\folder\outputfile.iso .

2. Prepare the removable USB drive. The drive must be formatted, empty, and
bootable.

3. Mount the ISO from the share location and transfer the files from the ISO to the
USB drive.

Next steps
Use bootable media to deploy Windows over the network
Create capture media
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Capture media in Configuration Manager allows you to capture an OS image from a

reference computer. Capture media contains the boot image that starts the reference
computer and the task sequence that captures the OS image. Use capture media for the
scenario to Create a task sequence to capture an OS.

Prerequisites
Before you create capture media by using the Create Task Sequence Media Wizard, be
sure that all of these conditions are met.

Boot image
Consider the following points about the boot image that you use in the task sequence
to deploy the OS:

The architecture of the boot image must be appropriate for the architecture of the
destination computer. For example, an x64 destination computer can boot and run
an x86 or x64 boot image. However, an x86 destination computer can boot and
run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are
required to provision the destination computer.

Distribute all content associated with the task sequence

Distribute all content that the task sequence requires to at least one distribution point.
This content includes the boot image, OS image, and other associated files. The wizard
gathers the content from the distribution point when it creates the capture media.

Your user account needs at least Read access rights to the content library on that
distribution point. For more information, see Distribute content.

Prepare the removable USB drive

If you're using a removable USB drive, connect it to the computer where you run the
Create Task Sequence Media wizard. The USB drive must be detectable by Windows as a
removal device. The wizard writes directly to the USB drive when it creates the media.

Create an output folder

Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD
set, create a folder for the output files it creates. Media that it creates for a CD or DVD
set is written as an .ISO file directly in the folder.

Process
1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and select the Task Sequences node.

2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence
Media. This action starts the Create Task Sequence Media Wizard.

3. On the Select Media Type page, select Capture media.

4. On the Media Type page, specify whether the media is a Removable USB drive or
a CD/DVD set. Then configure the following options:

） Important

Media uses a FAT32 file system. You can't create media on a USB drive whose
content contains a file over 4 GB in size.

If you select Removable USB drive, select the drive where you want to store
the content.
Format removable USB drive (FAT32) and make bootable: By default, let
Configuration Manager prepare the USB drive. Many newer UEFI devices
require a bootable FAT32 partition. However, this format also limits the
size of files and overall capacity of the drive. If you've already formatted
and configured the removable drive, disable this option.

If you select CD/DVD set, specify the capacity of the media (Media size) and
the name and path of the output file (Media file). The wizard writes the
output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates
multiple files. Then you need to store the content on multiple CDs or DVDs.
 When it requires multiple media files, Configuration Manager adds a
sequence number to the name of each output file that it creates.

） Important

If you select an existing .iso image, the Task Sequence Media Wizard
deletes that image from the drive or share as soon as you proceed to
the next page of the wizard. The existing image is deleted, even if you
then cancel the wizard.

Staging folder: The media creation process can require a lot of temporary
drive space. By default this location is similar to the following path:
%UserProfile%\AppData\Local\Temp . Starting in version 1902, to give you

greater flexibility with where to store these temporary files, change this value
to another drive and path.

Media label: Starting in version 1902, add a label to task sequence media.
This label helps you better identify the media after you create it. The default
value is Configuration Manager . This text field appears in the following
locations:

If you mount an ISO file, Windows displays this label as the name of the
mounted drive

If you format a USB drive, it uses the first 11 characters of the label as its
name

Configuration Manager writes a text file called MediaLabel.txt to the root

of the media. By default, the file includes a single line of text:
label=Configuration Manager . If you customize the label for media, this

line uses your custom label instead of the default value.

Include autorun.inf file on media: Starting in version 1906, Configuration

Manager doesn't add an autorun.inf file by default. This file is commonly
blocked by antimalware products. For more information on the AutoRun
feature of Windows, see Creating an AutoRun-enabled CD-ROM Application.
If still necessary for your scenario, select this option to include the file.

5. On the Boot image page, specify the following options:

） Important
 The architecture of the boot image that you distribute must be appropriate
for the architecture of the destination computer. For example, an x64
destination computer can boot and run an x86 or x64 boot image. However,
an x86 destination computer can boot and run only an x86 boot image.

Boot image: Select the boot image to start the destination computer.

Distribution point: Select the distribution point that has the boot image. The
wizard retrieves the boot image from the distribution point and writes it to
the media.

７ Note

Your user account needs at least Read permissions to the content library
on the distribution point.

6. Complete the wizard.

Next steps
Create a task sequence to capture an OS
Use the task sequence editor
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

Edit task sequences in the Configuration Manager console by using the Task Sequence
Editor. Use the editor to:

Open a read-only view of the task sequence

Add or remove steps from the task sequence

Change the order of the steps of the task sequence

Add or remove groups of steps

Copy and paste steps between task sequences

Set step options like whether the task sequence continues when an error occurs

Add conditions to the steps and groups of a task sequence

Copy and paste conditions between steps in a task sequence

Search the task sequence to quickly locate steps

Before you can edit a task sequence, you need to create it. For more information, see
Manage and create task sequences.

About the task sequence editor

The task sequence editor includes the following components:
1. The name of the task sequence

2. Search. For more information, see Search.

3. Properties for the selected group or step in the sequence

For more information about the properties and options of a specific step, see
About task sequence steps.

4. Options for the selected group or step in the sequence

For more information on general options on all steps, or options of a specific step,
see About task sequence steps.

For more information on how to configure conditions, see Conditions.

5. Add a group or steps

6. Remove a group or steps

7. Collapse all groups or expand all groups

8. Move the position of a group or step in the sequence (move up, move down)

9. The task sequence:

See the order of steps and groups.

Expand or collapse a group.
 When you disable a step or group on its Options, it's greyed out in the
sequence.
A step's icon changes to a red error if there's an issue with the step. For
example, a required value is missing.

10. OK: Save and close

11. Cancel: Close without saving changes

12. Apply: Save changes and keep open

You can resize the task sequence editor using standard Windows controls. To resize the
widths of the two main panes, use the mouse to select the bar between the task
sequence and the step properties, and then drag it left or right.

７ Note

Configuration Manager restricts actions for a task sequence that's greater than 2
MB in size. For example, the task sequence editor will display an error if you try to
save changes to a large task sequence. For more information, see Reduce the size
of task sequence policy.

View a task sequence

1. In the Configuration Manager console, go to the Software Library workspace,
expand Operating Systems, and then select the Task Sequences node.

2. In the Task Sequence list, select the task sequence that you want to view.

3. On the Home tab of the ribbon, in the Task Sequence group, select View.

 Tip

This action is the default. If you double-click a task sequence, you'll View the
task sequence.

This action opens the task sequence editor in read-only mode. In this mode you can do
the following actions:

View all groups, steps, properties, and options

Expand and collapse groups
Search the task sequence
 Resize the editor window

In this read-only mode, you can't make any changes, including copying a step or
condition. This action also doesn't lock the task sequence for editing. For more
information on these locks, see Reclaim lock for editing task sequences.

To make changes to a task sequence, close the task sequence editor that you have open
in read-only mode. Then Edit the task sequence.

７ Note

When you view or edit a task sequence that was created by the Create Task
Sequence Wizard, the name of the step can be the action or type of the step. For
example, you might see a step that has the name "Partition disk 0", which is the
action for a step of type Format and Partition Disk. All task sequence steps are
documented by their type, not necessarily by the name of the step that the editor
displays.

Edit a task sequence

Use the following procedure to modify an existing task sequence:

1. In the Configuration Manager console, go to the Software Library workspace,

expand Operating Systems, and then select the Task Sequences node.

2. In the Task Sequence list, select the task sequence that you want to edit.

3. On the Home tab of the ribbon, in the Task Sequence group, select Edit. Then do
any of the following actions:

Add a step: Select Add, select a category, and then select the step to add. For
example, to add the Run Command Line step: select Add, choose the General
category, and then select Run Command Line. This action adds the step after
the currently selected step.

Add a group: Select Add, and then choose New Group. After you add a
group, then add steps to it.

Change the order: Select the step or group that you want to reorder. Then
use the Move Up or Move Down icons. You can move only one step or group
at a time. These actions are also available when you right-click a group or
step.
 You can cut, copy, and paste a group or a step. Right-click the item and select
the action. You can also use standard keyboard shortcuts for each action:
Cut: CTRL + X
Copy: CTRL + C
Paste: CTRL + V

Remove a step or group: Select the step or group, and choose Remove.

4. Select OK to save your changes and close the window. Select Cancel to discard
your changes and close the window. Select Apply to save your changes and keep
the task sequence editor open.

For a list of the available task sequence steps, see Task sequence steps.

） Important

If the task sequence has any unassociated references to an object as a result of the
edit, the editor requires you fix the reference before it can close. Possible actions
include:

Correct the reference

Delete the unreferenced object from the task sequence
Temporarily disable the failed task sequence step until the broken reference is
corrected or removed

You can open more than one instance of the task sequence editor at the same time. This
behavior lets you compare multiple task sequences, or copy and paste steps between
them. You can Edit one task sequence, and View another, but you can't do both actions
on the same task sequence.

Conditions
Use conditions to control how the task sequence behaves. Add conditions to a single
step or a group of steps. The task sequence evaluates the conditions before it runs the
step on the device. It only runs the step if the conditions evaluate true. If a condition
evaluates false, then the task sequence skips the group or step.

Use the Options tab to manage conditions:

The following types of conditions are available:

If statement: Use an if statement to group conditions. You can evaluate All

conditions, Any condition, or None.

Task sequence variable. Evaluate the current value of any built-in, action, custom,
or read-only task sequence variable in the task sequence environment. For more
information, see Step conditions.

７ Note

You can use an array variable in this condition, but you have to specify the
specific array member. For example, OSDAdapter0EnableDHCP specifies whether
the first network adapter enables DHCP. For more information, see Array
variables.

OS version: Evaluate the OS version of the device where the task sequence runs.
This list is the general OS versions used throughout Configuration Manager. To
evaluate a more detailed OS version, such as a specific version of Windows 10, use
the Query WMI condition.

OS language: Evaluate the OS language of the device where the task sequence
runs. This list includes the 257 languages that Windows supports.

File properties: Evaluate the version or timestamp of any file on the device where
the task sequence runs.

Folder properties: Evaluate the timestamp of any folder on the device where the
task sequence runs.

Registry setting: Evaluate any registry key value of the device where the task
sequence runs.
 Query WMI: Specify the namespace and query to evaluate on the device where the
task sequence runs.

Installed software: Specify a Windows Installer file to load product information to

match on the device where the task sequence runs. You can match against a
specific product or any version of the product.

Cmdlets for conditions

Manage conditions with the following PowerShell cmdlets:

Get-CMTSStepConditionFile
Get-CMTSStepConditionFolder
Get-CMTSStepConditionIfStatement
Get-CMTSStepConditionOperatingSystem
Get-CMTSStepConditionQueryWmi
Get-CMTSStepConditionRegistry
Get-CMTSStepConditionSoftware
Get-CMTSStepConditionVariable

Copy and paste conditions

To reuse conditions from one step to another, copy and paste conditions in the task
sequence editor. Select a condition to cut or copy it. If a condition has children, it copies
the entire block. If there's a condition on the clipboard, you can paste it with the
following options:

Paste before
Paste after
Paste under (only applies to nested conditions)

Use standard keyboard shortcuts to copy (CTRL + C) and cut (CTRL + X). The standard
CTRL + V keyboard shortcut does the Paste after action.

There are also new options to move conditions up or down the list.

７ Note

You can copy and paste conditions between steps in a task sequence. It doesn't
support this action between different task sequences.
Reclaim lock for editing
If the Configuration Manager console stops responding, you can be locked out of
making further changes until the lock expires after 30 minutes. This lock is part of the
Configuration Manager SEDO (Serialized Editing of Distributed Objects) system. For
more information, see Configuration Manager SEDO.

You can clear your lock on a task sequence. This action only applies to your user account
that has the lock, and on the same device from which the site granted the lock. When
you attempt to access a locked task sequence, you can now Discard Changes, and
continue editing the object. These changes would be lost anyway when the lock expired.

 Tip

You can clear your lock on any object in the Configuration Manager console. For
more information, see Using the Configuration Manager console.

Search
If you have a large task sequence with many groups and steps, it can be difficult to find
specific steps. To more quickly locate steps in the task sequence, search in the task
sequence editor.
Enter a search term to start. You can scope your search using the following types:

Step name
Step description
Step type
Group name
Group description
Variable name
Conditions
Other content, for example, strings like variable values or command lines

It enables all scopes by default.

You can also filter for all steps with the following attributes:

Continue on error
Has conditions

It doesn't enable either filter by default.

When you search, the editor window highlights in yellow the steps that match your
search criteria.

Quickly access these search fields and navigate the search results with the following
keyboard shortcuts:

CTRL + F: enter a search string

CTRL + O: select the search options to scope the results
F3 or Enter: step forward through the results
SHIFT + F3: step backwards through the results

See also
Manage and create task sequences

About task sequence steps

How to use task sequence variables

Using the Configuration Manager console

User experiences for OS deployment
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

After you deploy a task sequence, depending upon the scenario there are different ways
for users to interact with the deployment. This article shows the main user experiences
with OS deployments, and how you can configure them:

Software Center user notification for a high-impact deployment

A sample PXE boot experience
Task sequence wizard from media
Progress window when the task sequence runs
Error window when the task sequence fails

Software Center
For a high-impact deployment, you can customize the message that Software Center
displays. When the user opens the OS deployment in Software Center, they see a
message similar to the following window:

For more information on how to customize the message in this window, see Create a
custom notification.

You can also customize the organization name at the top of the window. (The above
example shows the default value, IT Organization ). Change the Organization name
client setting in the Computer Agent group. For more information, see About client
settings.
For more information, see Use Software Center to deploy Windows over the network.

PXE
Different hardware models have different experiences for PXE. To boot to the network,
UEFI-based devices typically use the Enter key, and BIOS-based devices use the F12
key.

The following example shows the Hyper-V Gen1 (BIOS) PXE experience:

After the device successfully boots via PXE, it behaves similarly to bootable media. For
more information, see the next section on the Task sequence wizard.

For more information, see Use PXE to deploy Windows over the network.

２ Warning

If you use PXE deployments, and configure device hardware with the network
adapter as the first boot device, these devices can automatically start an OS
deployment task sequence without user interaction. Deployment verification
doesn't manage this configuration. While this configuration may simplify the
process and reduce user interaction, it puts the device at greater risk for accidental
reimage.

Task sequence wizard

When you use task sequence media, the task sequence wizard runs to guide the
process.

Welcome to the task sequence wizard

 If you password-protect the media, the user has to enter the password on this
welcome page.

Select Configure Network Settings to specify a static IP address or other custom

network settings. Otherwise, the device uses DHCP by default.

If your network requires a proxy, select Configure Proxy Settings.

Select a task sequence to run

If you deploy more than one task sequence to the device, you see this page to select a
task sequence. Make sure to use a name and description for your task sequence that
users can understand.
Edit task sequence variables
If any task sequence variables have empty values, the wizard shows a page to edit the
variable values.

Return to previous page on failure

When you run a task sequence, and there's a failure, you can return to a previous page
of the task sequence wizard. In prior versions of Configuration Manager, you had to
restart the task sequence when there was a failure. Use the Previous button in the
following scenarios:

When a computer starts in Windows PE, the task sequence bootstrap dialog might
display before the task sequence is available. When you select Next in this
scenario, the final page of the task sequence displays with a message that there
are no task sequences available. Now, you can select Previous to search again for
available task sequences. You can repeat this process until the task sequence is
available.

When you run a task sequence, but dependent content packages aren't available
yet on distribution points, the task sequence fails. If the missing content wasn't
distributed yet, distribute it now. Or wait for the content to be available on
distribution points. Then select Previous to have the task sequence search again
for the content.

Prestart commands
You can customize task sequence media or boot images to run a prestart command. A
prestart command runs before the task sequence starts. The following actions are some
of the more common ones:

Prompt the user for dynamic values, like the computer name
Specify network configuration
Set user device affinity

The prestart command is a command line that you specify with a script or program. The
user experience is unique to that script or program.

For more information, see the following articles:

Prestart commands for task sequence media

Manage boot images
Task sequence media

Task sequence progress

When the task sequence runs, it displays the Installation progress window:
 This window is always on top; you can move it, but you can't close or minimize it.

You can customize the organization name at the top of the window. (The above
example shows the default value, IT Organization ). Change the Organization
name client setting in the Computer Agent group. For more information, see
About client settings.

 Tip

The task sequence stores this value in the read-only variable

_SMSTSOrgName.

You can customize the subheading. (The above example shows the default value,
Running: <task sequence name> .) On the properties of the task sequence, select the
option to Use custom text for the progress notification text. It allows a maximum
of 255 characters.

Running action: The first line shows the name of the current task sequence step.
The progress bar below it shows the overall completion of the task sequence.

The second line only shows for some steps that provide more detailed progress.

Use the task sequence variable TSDisableProgressUI to control when the task
sequence displays progress.

To completely disable the progress window, disable the option to Show Task
Sequence progress on the User Experience page of the task sequence
deployment.

The task sequence progress window includes the following information:

Shows the current step number, total number of steps, and percent completion
 Increased the width of the window to give you more space to better show the
organization name in a single line

By default, the task sequence progress window uses the existing text. If you make no
changes, it continues to work the same as in earlier versions. To show the progress
information, specify the task sequence variable, TSProgressInfoLevel.

The count and percentage completed are intended for general guidance purposes only.
These values are based on the total number of steps in the task sequence. For a more
complex task sequence with steps that run conditionally based on task sequence logic,
the progress may be non-linear.

The count of total steps doesn't include the following items in the task sequence:

Groups. This item is a container for other steps, not a step itself.

Instances of the Run task sequence step. This step is a container for other steps.

Steps that you explicitly disable. A disabled step doesn't run during the task
sequence.

It doesn't count enabled steps in a disabled group.

Task sequence error

If the task sequence fails, it displays the Task Sequence Error window.
 You customize the header information the same as the task sequence progress
window.

It displays the name of the task sequence, an error code, and a general message
for users. For example: Task sequence: Upgrade to Windows 10 Enterprise has
failed with the error code (0x80004005). For more information, contact your

system administrator or helpdesk operator.

The window automatically closes after a timeout period. By default, this timeout is
15 minutes. You can customize this value with the task sequence variable
SMSTSErrorDialogTimeout.

Starting in version 2103, if the task sequence fails because the client doesn't meet the
requirements configured in the Check readiness step, the user can now see more details
about the failed prerequisites. They still see the common "task sequence error" message,
but can then select an option to Inspect. This action shows the checks that failed on the
device.
Task sequence steps
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The following task sequence steps can be added to a Configuration Manager task
sequence. For more information, see Use the task sequence editor.

Common settings
The following settings are common to all task sequence steps:

Properties for all steps

Name: The task sequence editor requires that you specify a short name to describe
this step. When you add a new step, the task sequence editor sets the name to the
Type by default. The Name length can't exceed 50 characters.

Description: Optionally, specify more detailed information about this step. The
Description length can't exceed 256 characters.

The rest of this article describes the other settings on the Properties tab for each task
sequence step.

Options for all steps

Disable this step: The task sequence skips this step when it runs on a computer.
The icon for this step is greyed out in the task sequence editor.

Continue on error: If an error occurs while running the step, the task sequence
continues. For more information, see Planning considerations for automating tasks.

Add Condition: The task sequence evaluates these conditional statements to

determine if it runs the step. For an example of using a task sequence variable as a
condition, see How to use task sequence variables. For more information about
conditions, see Task sequence editor - Conditions.

The sections below for specific task sequence steps describe other possible settings on
the Options tab.

Apply Data Image

Use this step to copy the data image to the specified destination partition.

This step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Images, and select Apply
Data Image.

Variables for Apply Data Image

Use the following task sequence variables with this step:

OSDDataImageIndex
OSDWipeDestinationPartition

Cmdlets for Apply Data Image

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepApplyDataImage
New-CMTSStepApplyDataImage
Remove-CMTSStepApplyDataImage
Set-CMTSStepApplyDataImage

Properties for Apply Data Image

On the Properties tab for this step, configure the settings described in this section.

Image Package

Select Browse to specify the Image Package used by this task sequence. Select the
package you want to install in the Select a Package dialog box. The bottom of the
dialog box displays the associated property information for each existing image
package. Use the drop-down list to select the Image you want to install from the
selected Image Package.

７ Note

This task sequence action treats the image as a data file. This action doesn't do any
setup to boot the image as an OS.

Destination
Configure one of the following options:

Next available partition: Use the next sequential partition that an Apply Operating
System or Apply Data Image step in this task sequence has not already targeted.

Specific disk and partition: Select the Disk number (starting with 0) and the
Partition number (starting with 1).

Specific logical drive letter: Specify the Drive Letter that Windows PE assigns to
the partition. This drive letter can be different from the drive letter assigned by the
newly deployed OS.

Logical drive letter stored in a variable: Specify the task sequence variable that
contains the drive letter assigned to the partition by Windows PE. This variable is
typically set in the Advanced section of the Partition Properties dialog box for the
Format and Partition Disk task sequence step.

Delete all content on the partition before applying the image

Specifies that the task sequence deletes all files on the target partition before installing
the image. By not deleting the content of the partition, this action can be used to apply
additional content to a previously targeted partition.

Apply Driver Package

Use this step to download all of the drivers in the driver package and install them on the
Windows OS.

The Apply Driver Package task sequence step makes all device drivers in a driver
package available for use by Windows. Add this step between the Apply Operating
System and Setup Windows and ConfigMgr steps to make the drivers in the package
available to Windows. The Apply Driver Package task sequence step is also useful with
stand-alone media deployment scenarios.

Put similar device drivers into a driver package, and distribute them to the appropriate
distribution points. For example, put all drivers from one manufacturer into a driver
package. Then distribute the package to distribution points where the associated
computers can access them.

The Apply Driver Package step is useful for stand-alone media. This step is also useful
to install a specific set of drivers. These types of drivers include devices that Windows
plug-and-play doesn't detect, such as network printers.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Drivers, and select Apply
Driver Package.

 Tip

For an overview on drivers in Configuration Manager, see Use task sequences to

install drivers.

Use content pre-caching to download an applicable driver package before a user

installs the task sequence. For more information, see Configure pre-cache content.

Variables for Apply Driver Package

Use the following task sequence variables with this step:

OSDApplyDriverBootCriticalContentUniqueID
OSDApplyDriverBootCriticalHardwareComponent
OSDApplyDriverBootCriticalID
OSDApplyDriverBootCriticalINFFile
OSDInstallDriversAdditionalOptions

Cmdlets for Apply Driver Package

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepApplyDriverPackage
New-CMTSStepApplyDriverPackage
Remove-CMTSStepApplyDriverPackage
Set-CMTSStepApplyDriverPackage

Properties for Apply Driver Package

On the Properties tab for this step, configure the settings described in this section.

Driver package
Specify the driver package that contains the needed device drivers. Select Browse to
launch the Select a Package dialog box. Select an existing driver package to apply. The
bottom of the dialog box displays the associated package properties.
Install driver package via running DISM with recurse option
Select this option to add the /recurse parameter to the DISM command line when
Windows applies the driver package.

When you enable this option, you can also specify additional DISM command-line
parameters. Use the OSDInstallDriversAdditionalOptions task sequence variable to
include more options. For more information, see Windows DISM Command-Line
Options.

Select the mass storage driver within the package that needs to be
installed before setup on pre-Windows Vista operating systems

Specify any mass storage drivers needed to install a classic OS.

Driver

Select the mass storage driver file to install before setup of a classic OS. The drop-down
list populates from the specified package.

Model

Specify the boot-critical device that is needed for pre-Windows Vista OS deployments.

Do unattended installation of unsigned drivers on version of

Windows where this is allowed
This option allows Windows to install drivers without a digital signature.

Apply Network Settings

Use this step to specify the network or workgroup configuration information for the
destination computer. The task sequence stores these values in the appropriate answer
file. Windows Setup uses this answer file during the Setup Windows and ConfigMgr
action.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Settings, and select
Apply Network Settings.
 ７ Note

If you include multiple instances of this step in a task sequence, conditions don't
apply. The settings from the last instance of this step in the task sequence are
applied to the device. To work around this behavior, include each step in a separate
group with conditions on the group.

Variables for Apply Network Settings

Use the following task sequence variables with this step:

OSDAdapter
OSDAdapterCount
OSDDNSDomain
OSDDNSSuffixSearchOrder
OSDDomainName
OSDDomainOUName
OSDEnableTCPIPFiltering
OSDJoinAccount
OSDJoinPassword
OSDWorkgroupName

Cmdlets for Apply Network Settings

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepApplyNetworkSetting
New-CMTSStepApplyNetworkSetting
Remove-CMTSStepApplyNetworkSetting
Set-CMTSStepApplyNetworkSetting
New-CMTSNetworkAdapterSetting

Properties for Apply Network Settings

On the Properties tab for this step, configure the settings described in this section.

Join a workgroup

Select this option to have the destination computer join the specified workgroup. Enter
the name of the workgroup on the Workgroup line. The value that the Capture
Network Settings task sequence step captures can override this value.

Join a domain
Select this option to have the destination computer join the specified domain. Specify or
browse to the domain, such as fabricam.com . Specify or browse to a Lightweight
Directory Access Protocol (LDAP) path for an organizational unit. For example:
LDAP//OU=computers, DC=Fabricam.com, C=com .

７ Note

When an Azure Active Directory (Azure AD)-joined client runs an OS deployment

task sequence, the client in the new OS won't automatically join Azure AD. Even
though it's not Azure AD-joined, the client is still managed.

Account
Select Set to specify an account with the necessary permissions to join the computer to
the domain. In the Windows User Account dialog box, enter the user name in the
following format: Domain\User . For more information, see Domain joining account.

Adapter settings
Specify network configurations for each network adapter in the computer. Select New to
open the Network Settings dialog box, and then specify the network settings.

If you also use the Capture Network Settings step, the task sequence applies the
previously captured settings to the network adapter.
If the task sequence didn't previously capture network settings, it applies the
settings you specify in this step.
The task sequence applies these settings to network adapters in Windows device
enumeration order.
The task sequence doesn't immediately apply the settings you specify in this step
to the computer.

Apply Operating System Image

Use this step to install an OS on the destination computer.
After the Apply Operating System action runs, it sets the OSDTargetSystemDrive
variable to the drive letter of the partition containing the OS files.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Images, and select Apply
Operating System Image.

 Tip

Windows 11 and Windows 10 media include multiple editions. When you configure
a task sequence to use an OS upgrade package or OS image, be sure to select a
supported edition.

Use content pre-caching to download an applicable OS upgrade package before a

user installs the task sequence. For more information, see Configure pre-cache
content.

The Setup Windows and ConfigMgr step starts the installation of Windows.

Variables for Apply OS Image

Use the following task sequence variables with this step:

OSDConfigFileName
OSDImageIndex
OsdLayeredDriver
OSDTargetSystemDrive

Cmdlets for Apply OS Image

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepApplyOperatingSystem
New-CMTSStepApplyOperatingSystem
Remove-CMTSStepApplyOperatingSystem
Set-CMTSStepApplyOperatingSystem

Behaviors for Apply OS Image

This step performs different actions depending on whether it uses an OS image or an
OS upgrade package.
OS image actions
The Apply Operating System Image step performs the following actions when using an
OS image:

1. Delete all content on the targeted volume, except files in the folder specified by
the _SMSTSUserStatePath variable.

2. Extract the contents of the specified .wim file to the specified destination partition.

3. Prepare the answer file:

a. Create a new default Windows Setup answer file (sysprep.inf or unattend.xml)

for the deployed OS.

b. Merge any values from the user-supplied answer file.

4. Copy Windows boot loaders into the active partition.

5. Set the boot.ini or the Boot Configuration Database (BCD) to reference the newly
installed OS.

OS upgrade package actions

The Apply Operating System Image step performs the following actions when using an
OS upgrade package:

1. Delete all content on the targeted volume, except files in the folder specified by
the _SMSTSUserStatePath variable.

2. Prepare the answer file:

a. Create a fresh answer file with standard values created by Configuration

Manager.

b. Merge any values from the user-supplied answer file.

Properties for Apply OS Image

On the Properties tab for this step, configure the settings described in this section.

Apply operating system from a captured image

Installs an OS image that you captured. Select Browse to open the Select a package
dialog box. Then select the existing image package you want to install. If multiple
images are associated with the specified Image package, select from the drop-down list
the associated image to use for this deployment. You can view basic information about
each existing image by selecting it.

Apply operating system image from an original installation source

Installs an OS using an OS upgrade package, which is also an original installation source.
Select Browse to open the Select an Operating System Upgrade Package dialog box.
Then select the existing OS upgrade package you want to use. You can view basic
information about each existing image source by selecting it. The results pane at the
bottom of the dialog box displays the associated image source properties. If there are
multiple editions associated with the specified package, use the drop-down list to select
the Edition you want to use.

７ Note

Operating System Upgrade Packages are primarily meant for use with in-place
upgrades and not for new installations of Windows. When deploying new
installations of Windows, use the Apply operating system from a captured image
option and install.wim from the installation source files.

Deploying new installations of Windows via Operating System Upgrade Packages

is still supported, but it's dependent on drivers being compatible with this method.
When installing Windows from an OS upgrade package, drivers are installed while
still in Windows PE versus simply being injected while in Windows PE. Some drivers
aren't compatible with being installed while in Windows PE.

If drivers aren't compatible with being installed while in Windows PE, then create an
Operating System Image with the install.wim from the original installation source
files. Then deploy via the Apply operating system from a captured image option
instead.

Use an unattended or sysprep answer file for a custom installation

Use this option to provide a Windows setup answer file (unattend.xml, unattend.txt, or
sysprep.inf) depending on the OS version and installation method. The file you specify
can include any of the standard configuration options supported by Windows answer
files. For example, you can use it to specify the default Internet Explorer home page.
Specify the package that contains the answer file and the associated path to the file in
the package.
 ７ Note

The Windows setup answer file that you supply can contain embedded task
sequence variables of the form %varname% , where varname is the name of the
variable. The Setup Windows and ConfigMgr step substitutes the variable string
for the actual value of the variable. You can't use these embedded task sequence
variables in numeric-only fields in an unattend.xml answer file.

If you don't supply a Windows setup answer file, the task sequence automatically
generates an answer file.

Destination

Configure one of the following options:

Next available partition: Use the next sequential partition not already targeted by
an Apply Operating System or Apply Data Image step in this task sequence.

Specific disk and partition: Select the Disk number (starting with 0) and the
Partition number (starting with 1).

Specific logical drive letter: Specify the Drive Letter assigned to the partition by
Windows PE. This drive letter can be different from the drive letter assigned by the
newly deployed OS.

Logical drive letter stored in a variable: Specify the task sequence variable
containing the drive letter assigned to the partition by Windows PE. This variable is
typically set in the Advanced section of the Partition Properties dialog box for the
Format and Partition Disk task sequence step.

Select layered driver if applicable

Version 2107 and later supports layered keyboard drivers. These drivers specify other
types of keyboards that are common with Japanese and Korean languages. For more
information, see the LayeredDriver Windows setting.

Choose one of the following options:

Do not specify: This option is the default, which doesn't configure the
LayeredDriver setting in the unattend.xml. This behavior is consistent with earlier
versions of Configuration Manager.
PC/AT Enhanced keyboard (101/102-key)
 Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard
(type 1)
Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard
(type 2)
Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard
(type 3)
Korean keyboard (103/106-key)
Japanese keyboard (106/109-key)

You can also use the OsdLayeredDriver task sequence variable.

Options for Apply OS Image

Besides the default options, configure the following additional settings on the Options
tab of this task sequence step:

Access content directly from the distribution point

Configure the task sequence to access the OS image directly from the distribution point.
For example, use this option when you deploy operating systems to embedded devices
that have limited storage capacity. When selecting this option, also configure the
package share settings on the Data Access tab of the OS image properties.

７ Note

This setting overrides the deployment option that you configure on the
Distribution Points page in the Deploy Software Wizard. This override is only for
the OS image that this step specifies, not for all task sequence content.

） Important

For greatest security, it is strongly recommended not to select this option. This
option is mainly designed for use on devices with limited storage capacity. This
option is not meant to help increase the speed of the task sequence. When this
option is selected, the package hash is not verified for the operating system
package. Therefore, package integrity cannot be ensured because it is possible for
users with administrative rights to alter or tamper with package contents.

Apply Windows Settings

Use this step to configure the Windows settings for the destination computer. The task
sequence stores these values in the appropriate answer file. Windows Setup uses this
answer file during the Setup Windows and ConfigMgr step.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Settings, and select
Apply Windows Settings.

Variables for Apply Windows Settings

Use the following task sequence variables with this step:

OSDComputerName
OSDLocalAdminPassword
OSDProductKey
OSDRandomAdminPassword
OSDRegisteredOrgName
OSDRegisteredUserName
OSDServerLicenseConnectionLimit
OSDServerLicenseMode
OSDTimeZone
OSDWindowsSettingsInputLocale
OSDWindowsSettingsSystemLocale
OSDWindowsSettingsUILanguage
OSDWindowsSettingsUILanguageFallback
OSDWindowsSettingsUserLocale

Cmdlets for Apply Windows Settings

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepApplyWindowsSetting
New-CMTSStepApplyWindowsSetting
Remove-CMTSStepApplyWindowsSetting
Set-CMTSStepApplyWindowsSetting

Properties for Apply Windows Settings

On the Properties tab for this step, configure the settings described in this section.
User name
Specify the registered user name to associate with the destination computer. The value
that the Capture Windows Settings task sequence step captures can override this value.

Organization name
Specify the registered organization name to associate with the destination computer.
The value that the Capture Windows Settings task sequence step captures can override
this value.

Product key
Specify the product key to use for the Windows installation on the destination
computer.

Server licensing

７ Note

This setting only applies to legacy versions of Windows that are no longer
supported. Starting in version 2010, the setting is no longer visible in the task
sequence editor. Existing task sequences that still use this setting will continue to
function the same.

Maximum connections

７ Note

This setting only applies to legacy versions of Windows that are no longer
supported. Starting in version 2010, the setting is no longer visible in the task
sequence editor. Existing task sequences that still use this setting will continue to
function the same.

Randomly generate the local administrator password and disable

the account on all supported platforms (recommended)
Select this option to set the local administrator password to a randomly generated
string. This option also disables the local administrator account on platforms that
support this capability.

Enable the account and specify the local administrator password

Select this option to enable the local administrator account using the specified
password. Enter the password on the Password line and confirm the password on the
Confirm password line.

Time zone
Specify the time zone to configure on the destination computer. The value that the
Capture Windows Settings task sequence step captures can override this value.

Language settings

Use these settings to control the language configuration during OS deployment. If

you're already applying these language settings, this change can help you simplify your
OS deployment task sequence. Instead of using multiple steps per language or separate
scripts, use one instance per language of this step with a condition for that language.

Configure the following settings:

Input locale (default keyboard layout)

System locale
UI language
UI language fallback
User locale

For more information on these Windows setup answer file values, see Microsoft-
Windows-International-Core.

７ Note

If you create a custom Windows setup answer file (unattend.xml), this step
overwrites any existing values. To automate a dynamic process for these settings,
use the related task sequence variables. For example,
OSDWindowsSettingsInputLocale.

Auto Apply Drivers

Use this step to match and install drivers as part of the OS deployment.

） Important

Stand-alone media can't use the Auto Apply Drivers step. The task sequence has
no connection to the Configuration Manager site in this scenario.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Drivers, and select Auto
Apply Drivers.

 Tip

For an overview of drivers in Configuration Manager, see Use task sequences to

install drivers.

Behaviors for Auto Apply Drivers

The Auto Apply Drivers task sequence step performs the following actions:

1. Scan the hardware and find the plug-and-play IDs for all devices present on the
system.

2. Send the list of devices and their plug-and-play IDs to the management point. The
management point returns a list of compatible drivers from the driver catalog for
each hardware device. The list includes all enabled drivers regardless of what driver
package they are in, and drivers tagged with the specified driver category.

3. For each hardware device, the task sequence picks the best driver. This driver is
appropriate for the deployed OS, and is on an accessible distribution point.

4. The task sequence downloads the selected drivers from a distribution point, and
stages the drivers on the target OS.

a. When using an OS image, the task sequence places the drivers into the OS
driver store.

b. When using an OS upgrade package as an original installation source, the task

sequence configures Windows Setup with the drivers' location.

5. During the Setup Windows and ConfigMgr step in the task sequence, Windows
Setup finds the drivers staged by this step.
Variables for Auto Apply Drivers
Use the following task sequence variables with this step:

OSDAutoApplyDriverBestMatch
OSDAutoApplyDriverCategoryList
SMSTSDriverRequestConnectTimeOut
SMSTSDriverRequestReceiveTimeOut
SMSTSDriverRequestResolveTimeOut
SMSTSDriverRequestSendTimeOut

Cmdlets for Auto Apply Drivers

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepAutoApplyDriver
New-CMTSStepAutoApplyDriver
Remove-CMTSStepAutoApplyDriver
Set-CMTSStepAutoApplyDriver

Properties for Auto Apply Drivers

On the Properties tab for this step, configure the settings described in this section.

Install only the best matched compatible drivers

Specifies that the task sequence step installs only the best matched driver for each
hardware device detected.

Install all compatible drivers

The task sequence installs all drivers compatible for each detected hardware device.
Windows Setup then chooses the best driver. This option takes more network
bandwidth and disk space. The task sequence downloads more drivers, but Windows
can select a better driver.

Consider drivers from all categories

The task sequence searches all available driver categories for the appropriate device
drivers.
Limit driver matching to only consider drivers in selected
categories

The task sequence searches in the specified driver categories for the appropriate device
drivers.

If you select multiple categories, it returns all matching drivers that are present in any of
the categories. It's equivalent to an OR operation.

Do unattended installation of unsigned drivers on versions of

Windows where this is allowed
This option allows Windows to install drivers without a digital signature.

） Important

This option doesn't apply to operating systems where you can't configure driver
signing policy.

Capture Network Settings

Use this step to capture Microsoft network settings from the computer running the task
sequence. The task sequence saves these settings in task sequence variables. These
settings override the default settings you configure on the Apply Network Settings
step.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Settings, and select
Capture Network Settings.

Variables for Capture Network Settings

Use the following task sequence variables with this step:

OSDMigrateAdapterSettings
OSDMigrateNetworkMembership

Cmdlets for Capture Network Settings

Manage this step with the following PowerShell cmdlets:
 Get-CMTSStepCaptureNetworkSettings
New-CMTSStepCaptureNetworkSettings
Remove-CMTSStepCaptureNetworkSettings
Set-CMTSStepCaptureNetworkSettings

Properties for Capture Network Settings

On the Properties tab for this step, configure the settings described in this section.

Migrate domain and workgroup membership

Captures the domain and workgroup membership information of the destination
computer.

Migrate network adapter configuration

Captures the network adapter configuration of the destination computer. It captures the
following information:

Global network settings

Number of adapters
The following network settings associated with each adapter: DNS, IP, and port
filters

Capture Operating System Image

This step captures one or more images from a reference computer. The task sequence
creates a Windows image (.wim) file on the specified network share. Then use the Add
Operating System Image Package wizard to import this image into Configuration
Manager for image-based OS deployments.

Configuration Manager captures each volume (drive) from the reference computer to a
separate image within the .wim file. If the referenced computer has multiple volumes,
the resulting .wim file contains a separate image for each volume. This step only
captures volumes that are formatted as NTFS or FAT32. It skips volumes with other
formats, and USB volumes.

The installed OS on the reference computer must be a version of Windows that

Configuration Manager supports. Use the SysPrep tool to prepare the OS on the
reference computer. The installed OS volume and the boot volume must be the same
volume.
Specify an account with write permissions to the selected network share. For more
information on the capture OS image account, see Accounts.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Images, and select
Capture Operating System Image.

Variables for Capture OS Image

Use the following task sequence variables with this step:

OSDCaptureAccount
OSDCaptureAccountPassword
OSDCaptureDestination
OSDImageCreator
OSDImageDescription
OSDImageVersion
OSDTargetSystemRoot

Cmdlets for Capture OS Image

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepCaptureSystemImage
New-CMTSStepCaptureSystemImage
Remove-CMTSStepCaptureSystemImage
Set-CMTSStepCaptureSystemImage

Properties for Capture OS Image

On the Properties tab for this step, configure the settings described in this section.

Target
File system path to the location that Configuration Manager uses when storing the
captured OS image.

Description
An optional user-defined description of the captured OS image that's stored in the
image file.
Version
An optional user-defined version number to assign to the captured OS image. This value
can be any combination of letters and numbers. It's stored in the image file.

Created by
The optional name of the user that created the OS image. It's stored in the image file.

Capture operating system image account

Enter the Windows account that has permissions to the specified network share. Select
Set to specify the name of the Windows account.

Capture User State

This step uses the User State Migration Tool (USMT) to capture user state and settings
from the computer running the task sequence. This task sequence step is used in
conjunction with the Restore User State task sequence step. This step always encrypts
the USMT state store by using an encryption key that Configuration Manager generates
and manages.

Starting in version 2103, this step and the Restore User State step use the current
highest supported encryption algorithm, AES 256.

） Important

If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Otherwise, the updated
client will fail to restore the user state when it tries to use a different encryption
algorithm. If necessary, you can manually restore the user state and explicitly use
the USMT parameter /decrypt:3DES .

For more information about managing the user state when deploying operating
systems, see Manage user state.

If you want to save and restore user state settings from a state migration point, use this
step with the Request State Store and Release State Store steps.

This step provides control over a limited subset of the most commonly used USMT
options. Specify additional command-line options using the
OSDMigrateAdditionalCaptureOptions task sequence variable.

This task sequence step runs in either Windows PE or the full OS.

To add this step in the task sequence editor, select Add, select User State, and select
Capture User State.

Variables for Capture User State

Use the following task sequence variables with this step:

_OSDMigrateUsmtPackageID
OSDMigrateAdditionalCaptureOptions
OSDMigrateConfigFiles
OSDMigrateContinueOnLockedFiles
OSDMigrateEnableVerboseLogging
OSDMigrateMode
OSDMigrateSkipEncryptedFiles
OSDStateStorePath

Cmdlets for Capture User State

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepCaptureUserState
New-CMTSStepCaptureUserState
Remove-CMTSStepCaptureUserState
Set-CMTSStepCaptureUserState

Properties for Capture User State

On the Properties tab for this step, configure the settings described in this section.

User state migration tool package

Specify the package that contains the User State Migration Tool (USMT). The task
sequence uses this version of USMT to capture the user state and settings. This package
doesn't require a program. Specify a package containing the 32-bit or 64-bit version of
USMT. The architecture of USMT depends upon the architecture of the OS from which
the task sequence is capturing state.
Capture all user profiles by using standard options
Migrate all user profile information. This option is the default.

If you select this option, but don't select Restore local computer user profiles in the
Restore User State step, the task sequence fails. Configuration Manager can't migrate
the new accounts without assigning them passwords.

When you use the Install an existing image package option of the New Task Sequence
wizard, the resulting task sequence defaults to Capture all user profiles with standard
options. This default task sequence doesn't select the option to Restore local computer
user profiles, or non-domain user accounts.

Select Restore local computer user profiles and provide a password for the account to
migrate. In a manually created task sequence, this setting is found under the Restore
User State step. In a task sequence created by the New Task Sequence wizard, this
setting is found under the step Restore User Files and Settings wizard page.

If you have no local user accounts, this setting doesn't apply.

Customize how user profiles are captured

Select this option to specify a custom profile file for migration. Select Files to select the
configuration files for USMT to use with this step. Specify a custom .xml file that
contains rules that define the user state files to migrate.

Select configuration files

Choose this option and select Files to select the configuration files in the USMT package
you want to use to capture user profiles. To add a configuration file, enter the Filename
and select Add.

Enable verbose logging

Enable this option to generate more detailed log file information. When capturing state,
the task sequence by default generates ScanState.log in the task sequence log folder,
%WinDir%\ccm\logs .

Skip files using encrypted file system

Enable this option to skip capturing files encrypted with the Encrypted File System (EFS).
These files include user profile files. Depending on the OS and USMT versions,
encrypted files might not be readable after you restore. For more information, see the
USMT documentation.

Copy by using file system access

Enable this option to specify any of the following settings:

Continue if some files cannot be captured: Enable this setting to continue the
migration process even if it can't capture some files. If you disable this option, and
a file can't be captured, then this step fails. This option is enabled by default.

Capture locally by using links instead of by copying files: Enable this setting to
use NTFS hard-links to capture files.

For more information about migrating data using hard-links, see Hard-Link
Migration Store.

Capture in off-line mode (Windows PE only): Enable this setting to capture the
user state while in Windows PE instead of the full OS.

Capture by using Volume Copy Shadow Services (VSS)

This option allows you to capture files even if they're locked for editing by another
application.

Capture Windows Settings

Use this step to capture the Windows settings from the computer running the task
sequence. The task sequence saves these settings in task sequence variables. These
captured settings override the default settings that you configure on the Apply
Windows Settings step.

This task sequence step runs in either Windows PE or the full OS.

To add this step in the task sequence editor, select Add, select Settings, and select
Capture Windows Settings.

Variables for Capture Windows Settings

Use the following task sequence variables with this step:

OSDComputerName
OSDMigrateComputerName
 OSDMigrateRegistrationInfo
OSDMigrateTimeZone
OSDRegisteredOrgName
OSDTimeZone

Cmdlets for Capture Windows Settings

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepCaptureWindowsSettings
New-CMTSStepCaptureWindowsSettings
Remove-CMTSStepCaptureWindowsSettings
Set-CMTSStepCaptureWindowsSettings

Properties for Capture Windows Settings

On the Properties tab for this step, configure the settings described in this section.

Migrate computer name

Capture the NetBIOS computer name of the computer.

Migrate registered user and organization names

Capture the registered user and organization names from the computer.

Migrate time zone

Capture the time zone setting on the computer.

Check Readiness
Use this step to verify that the target computer meets the specified deployment
prerequisite conditions.

To add this step in the task sequence editor, select Add, select General, and select
Check Readiness.

None of the following checks are selected by default in new or existing instances of the
step. For more information on each check, see the specific sections below.
 Architecture of current OS
Minimum OS version
Maximum OS version
Minimum client version
Language of current OS
AC power plugged in
Network adapter connected
Network adapter is not wireless
Computer is in UEFI mode

Starting in version 2103, the task sequence progress displays more information about
readiness checks. If a task sequence fails because the client doesn't meet the
requirements of this step, the user can select an option to Inspect. This action shows the
checks that failed on the device. For more information, see User experiences for OS
deployment.

Starting in version 2111, this step includes checks for TPM 2.0. These checks can help
you better deploy Windows 11.

） Important

To take advantage of this new Configuration Manager feature, after you update the
site, also update clients to the latest version. While new functionality appears in the
Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

The smsts.log includes the outcome of all checks. If one check fails, the task sequence
engine continues to evaluate the other checks. The step doesn't fail until all checks are
complete. If at least one check fails, the step fails, and it returns error code 4316. This
error code translates to "The resource required for this operation does not exist."

Variables for Check Readiness

Use the following task sequence variables with this step:

_TS_CRMEMORY
_TS_CRSPEED
_TS_CRDISK
_TS_CROSTYPE
_TS_CRARCH
_TS_CRMINOSVER
 _TS_CRMAXOSVER
_TS_CRCLIENTMINVER
_TS_CROSLANGUAGE
_TS_CRACPOWER
_TS_CRNETWORK
_TS_CRUEFI
_TS_CRWIRED
_TS_CRTPMACTIVATED (starting in version 2111)
_TS_CRTPMENABLED (starting in version 2111)

Cmdlets for Check Readiness

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepPrestartCheck
New-CMTSStepPrestartCheck
Remove-CMTSStepPrestartCheck
Set-CMTSStepPrestartCheck

Properties for Check Readiness

On the Properties tab for this step, configure the settings described in this section.

Minimum memory (MB)

Verify that the amount of memory, in megabytes (MB), meets or exceeds the specified
amount. The step enables this setting by default.

Minimum processor speed (MHz)

Verify that the speed of the processor, in megahertz (MHz), meets or exceeds the
specified amount. The step enables this setting by default.

Minimum free disk space (MB)

Verify that the amount of free disk space, in megabytes (MB), meets or exceeds the
specified amount.

Starting in version 2103, it also checks free space on disks without partitions.
Current OS to be refreshed is
Verify that the OS installed on the target computer meets the specified requirement. The
step sets this setting to CLIENT by default.

Architecture of current OS
Verify whether the current OS is 32-bit or 64-bit.

Minimum OS version
Verify that the current OS is running a version later than specified. Specify the version
with major version, minor version, and build number. For example, 10.0.16299 .

Maximum OS version

Verify that the current OS is running a version earlier than specified. Specify the version
with major version, minor version, and build number. For example, 10.0.18356 .

Minimum client version

Verify that the Configuration Manager client version is at least the specified version.
Specify the client version in the following format: 5.00.8913.1005 .

Language of current OS
Verify that the current OS language matches what you specify. Select the language
name, and the step compares the associated language code. This check compares the
language that you select to the OSLanguage property of the Win32_OperatingSystem
WMI class on the client.

AC power plugged in

Verify that the device is plugged in and not on battery.

Network adapter connected

Verify that the device has a network adapter that's connected to the network. You can
also select the dependent check to verify that the Network adapter is not wireless.
Computer is in UEFI mode
Determine whether the device is configured for UEFI or BIOS.

TPM 2.0 or above is enabled

Starting in version 2111, checks whether the device that's running the task sequence has
a TPM 2.0 that's enabled.

TPM 2.0 or above is activated

Starting in version 2111, if the device has an enabled TPM 2.0, check that it's activated.

Options for Check Readiness

７ Note

If you enable the Continue on error setting on the Options tab of this step, it only
logs the readiness check results. If a check fails, the task sequence doesn't stop.

Connect To Network Folder

Use this step to create a connection to a shared network folder.

This task sequence step runs in the full OS or Windows PE.

To add this step in the task sequence editor, select Add, select General, and select
Connect To Network Folder.

Variables for Connect To Network Folder

Use the following task sequence variables with this step:

SMSConnectNetworkFolderAccount
SMSConnectNetworkFolderDriveLetter
SMSConnectNetworkFolderPassword
SMSConnectNetworkFolderPath

Cmdlets for Connect To Network Folder

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepConnectNetworkFolder
New-CMTSStepConnectNetworkFolder
Remove-CMTSStepConnectNetworkFolder
Set-CMTSStepConnectNetworkFolder

Properties for Connect To Network Folder

On the Properties tab for this step, configure the settings described in this section.

Path

Select Browse to specify the network folder path. Use the format \\server\share .

Drive

Select the local drive letter to assign for this connection.

Account
Select Set to specify the user account with permissions to connect to this network
folder. For more information on the task sequence network folder connection account,
see Accounts.

Disable BitLocker
Use this step to disable BitLocker encryption on the current OS drive, or on a specific
drive. This action leaves the key protectors visible in clear text on the hard drive. It
doesn't decrypt the contents of the drive. This action completes almost instantly.

７ Note

BitLocker drive encryption provides low-level encryption of the contents of a disk

volume.

If you have multiple encrypted drives, disable BitLocker on any data drives before
disabling BitLocker on the OS drive.

This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add, select Disks, and select Disable
BitLocker.

Variables for Disable BitLocker

Use the following task sequence variables with this step:

OSDBitLockerRebootCount
OSDBitLockerRebootCountOverride

Cmdlets for Disable BitLocker

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepDisableBitLocker
New-CMTSStepDisableBitLocker
Remove-CMTSStepDisableBitLocker
Set-CMTSStepDisableBitLocker

Properties for Disable BitLocker

On the Properties tab for this step, configure the settings described in this section.

Current operating system drive

Disables BitLocker on the current OS drive.

Specific drive

Disables BitLocker on a specific drive. Use the drop-down list to specify the drive where
BitLocker is disabled.

Resume protection after Windows has been restarted the specified

number of times

Use this option to specify the number of restarts to keep BitLocker disabled. Instead of
adding multiple instances of this step, set a value between 1 (default) and 15.

You can set and modify this behavior with the task sequence variables
OSDBitLockerRebootCount and OSDBitLockerRebootCountOverride.
Download Package Content
Use this step to download any of the following package types:

OS images
OS upgrade packages
Driver packages
Packages
Boot images Note 1

This step works well in a task sequence to upgrade an OS in the following scenarios:

To use a single upgrade task sequence that can work with both x86 and x64
platforms. Include two Download Package Content steps in the Prepare for
Upgrade group. Specify conditions on the Options tab to detect the client
architecture, and download only the appropriate OS upgrade package. Configure
each Download Package Content step to use the same variable. Use the variable
for the media path on the Upgrade Operating System step.

To dynamically download an applicable driver package, use two Download

Package Content steps with conditions to detect the appropriate hardware type
for each driver package. Configure each Download Package Content step to use
the same variable. Use the variable for the Staged content value in the Drivers
section of the Upgrade Operating System step.

７ Note

When you deploy a task sequence that contains this step, don't select Download all
content locally before starting the task sequence or Access content directly from
a distribution point for Deployment options on the Distribution Points page of
the Deploy Software Wizard.

This step runs in either the full OS or Windows PE. The option to save the package in the
Configuration Manager client cache isn't supported in Windows PE.

７ Note

The Download Package Content task isn't supported for use with stand-alone
media. For more information, see Unsupported actions for stand-alone media.
To add this step in the task sequence editor, select Add, select Software, and select
Download Package Content.

Cmdlets for Download Package Content

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepDownloadPackageContent
New-CMTSStepDownloadPackageContent
Remove-CMTSStepDownloadPackageContent
Set-CMTSStepDownloadPackageContent

Properties for Download Package Content

On the Properties tab for this step, configure the settings described in this section.

Select package
Select the icon to choose the package to download. After you choose one package,
select the icon again to choose another package.

Place into the following location

Choose to save the package in one of the following locations:

Task sequence working directory: This location is also referred to as the task
sequence cache.

Configuration Manager client cache: Use this option to store the content in the
client cache. By default, this path is %WinDir%\ccmcache .

Custom path: The task sequence engine first downloads the package to the task
sequence working directory. It then moves the content to this path you specify.
The task sequence engine appends the path with the package ID.

Save path as a variable

Save the package's path into a custom task sequence variable. Then use this variable in
another task sequence step.

Configuration Manager adds a numerical suffix to the variable name. For example, you
specify a variable of %MyContent% as a custom variable. It's the root for where the task
sequence stores all referenced content for this step. This content may contain multiple
packages. When you refer to the variable, add a numerical suffix. For the first package,
refer to %MyContent01% . When you refer to the variable in subsequent steps, such as
Upgrade Operating System, use %MyContent02% or %MyContent03% , where the number
corresponds to the order that the Download Package Content step lists the packages.

If a package download fails, continue downloading other packages

in the list

If the task sequence fails to download a package, it starts to download the next package
in the list. This behavior applies to all packages in the step. The task sequence ignores
download failures for any referenced package.

Note 1: Use of boot images in the Download Package

Content step
If you configure the task sequence properties to Use a boot image, then adding a boot
image to this step is redundant. Only add a boot image to this step if it's not specified
on the properties of the task sequence.

Example use case

A single task sequence to pre-download content:

No associated boot image.
Runs only in the full OS, likely without user interaction.
Uses multiple Download Package Content steps with conditions. Depending
upon the specific language and architecture, it downloads content to the client
cache to prepare for the OS deployment task sequence.
There's only one instance of this task sequence, with all of the possible content
options.

Multiple OS deployment task sequences:

A normal OS deployment task sequence.
Has a boot image referenced in its properties.
There are multiple instances of this task sequence, with different boot images as
needed by architecture and language

Enable BitLocker
BitLocker drive encryption provides low-level encryption of the contents of a disk
volume. Use this step to enable BitLocker encryption on at least two partitions on the
hard drive. The first active partition contains the Windows bootstrap code. Another
partition contains the OS. The bootstrap partition must remain unencrypted.

To enable BitLocker on a drive while in Windows PE, use the Pre-provision BitLocker
step.

This step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Disks, and select Enable
BitLocker.

When you specify TPM Only, TPM and Startup Key on USB, or TPM and PIN, the
Trusted Platform Module (TPM) must be in the following state before you can run the
Enable BitLocker step:

Enabled
Activated
Ownership Allowed

You can skip this step for computers that don't have a TPM or when the TPM isn't
enabled. This option makes it easier to manage the task sequence behavior on devices
that can't fully support BitLocker.

This step completes any remaining TPM initialization. The remaining actions don't
require physical presence or reboots. The Enable BitLocker step transparently completes
the following remaining TPM initialization actions, if necessary:

Create endorsement key pair

Create owner authorization value and escrow the recovery information
Take ownership
Create the storage root key, or reset if already present but incompatible

If you want the task sequence to wait for the Enable BitLocker step to complete the
drive encryption process, then select the Wait option. If you don't select the Wait
option, the drive encryption process happens in the background. The task sequence
immediately proceeds to the next step.

BitLocker can be used to encrypt multiple drives on a computer system, both OS and
data drives. To encrypt a data drive, first encrypt the OS drive and complete the
encryption process. This requirement is because the OS drive stores the key protectors
for the data drives. If you encrypt the OS and data drives in the same task sequence,
select the Wait option on the Enable BitLocker step for the OS drive.
If the hard drive is already encrypted, but BitLocker is disabled, then the Enable
BitLocker step re-enables the key protectors and completes quickly. Re-encryption of
the hard drive isn't necessary in this case.

Variables for Enable BitLocker

Use the following task sequence variables with this step:

OSDBitLockerPIN
OSDBitLockerRecoveryPassword
OSDBitLockerStartupKey
OSDRecoveryKeyPollingFrequency (starting in version 2203)
OSDRecoveryKeyPollingTimeout (starting in version 2203)

Cmdlets for Enable BitLocker

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepEnableBitLocker
New-CMTSStepEnableBitLocker
Remove-CMTSStepEnableBitLocker
Set-CMTSStepEnableBitLocker

Properties for Enable BitLocker

On the Properties tab for this step, configure the settings described in this section.

Choose the drive to encrypt

Specifies the drive to encrypt. To encrypt the current OS drive, select Current operating
system drive. Then configure one of the following options for key management:

TPM only: Select this option to use only Trusted Platform Module (TPM).

Startup Key on USB only: Select this option to use a startup key stored on a USB
flash drive. When you select this option, BitLocker locks the normal boot process
until a USB device that contains a BitLocker startup key is attached to the
computer.

TPM and Startup Key on USB: Select this option to use TPM and a startup key
stored on a USB flash drive. When you select this option, BitLocker locks the
 normal boot process until a USB device that contains a BitLocker startup key is
attached to the computer.

TPM and PIN: Select this option to use TPM and a personal identification number
(PIN). When you select this option, BitLocker locks the normal boot process until
the user provides the PIN.

To encrypt a specific, non-OS data drive, select Specific drive. Then select the drive from
the list.

Disk encryption mode

Select one of the following encryption algorithms:

AES_128
AES_256
XTS_AES256
XTS_AES128

By default or if not specified, the step continues to use the default encryption method
for the OS version. If the step runs on a version of Windows that doesn't support the
specified algorithm, it falls back to the OS default. In this circumstance, the task
sequence engine sends status message 11911.

Use full disk encryption

By default, this step only encrypts used space on the drive. This default behavior is
recommended, as it's faster and more efficient. If your organization requires encrypting
the entire drive during setup, then enable this option. Windows Setup waits for the
entire drive to encrypt, which takes a long time, especially on large drives.

 Tip

You can also use Configuration Manager to create and deploy BitLocker
management policies. These policies use full disk encryption. To manage BitLocker
on devices after the task sequence deploys the OS, enable this option. For more
information, see Plan for BitLocker management.

Choose where to create the recovery key

 In Active Directory: BitLocker creates the recovery password and escrows it in
Active Directory. This option requires that you extend Active Directory for BitLocker
key escrow. BitLocker can then save the associated recovery information in Active
Directory.

The Configuration Manager database: Starting in version 2203, escrow the

BitLocker recovery information for the OS volume to Configuration Manager. Use
this option if you deploy policies for BitLocker management. Use this option
instead of Active Directory or waiting for the Configuration Manager client to
receive BitLocker management policy after the task sequence. By escrowing the
recovery information to Configuration Manager during the task sequence, it makes
sure that the device is fully protected by BitLocker when the task sequence
completes. This behavior allows for you to immediately recover the OS volume.

７ Note

The client will only escrow its key to the Configuration Manager site if you
configure one of the following options:

Create and use a certificate to encrypt the site database for BitLocker
management.

Enable the BitLocker client management policy option to Allow recovery

information to be stored in plain text.

For more information, see Encrypt recovery data in the database.

To not create a password, select Do not create recovery key . Creating a password is the
recommended option.

７ Note

If Configuration Manager can't escrow the key, by default this task sequence step
fails.

Wait for BitLocker to complete the drive encryption process on all

drives before continuing task sequence execution

Select this option to allow BitLocker drive encryption to complete prior to running the
next step in the task sequence. If you select this option, BitLocker encrypts the entire
disk volume before the user is able to sign in to the computer.
The encryption process can take hours to complete when encrypting a large hard drive.
Not selecting this option allows the task sequence to proceed immediately.

Skip this step for computers that do not have a TPM or when TPM
is not enabled
Select this option to skip drive encryption on a computer that doesn't contain a
supported or enabled TPM. For example, use this option when you deploy an OS to a
virtual machine. By default, this setting is disabled for the Enable BitLocker step. If you
enable this setting, and the device doesn't have a functional TPM, the task sequence
engine logs an error to smsts.log and sends status message 11912. The task sequence
continues past this step.

Format and Partition Disk

Use this step to format and partition a specified disk on the destination computer.

） Important

Every setting you specify for this step applies to a single specified disk. To format
and partition another disk on the destination computer, add an additional Format
and Partition Disk step to the task sequence.

This step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Disks, and select Format
and Partition Disk.

Variables for Format and Partition Disk

Use the following task sequence variables with this step:

OSDDiskIndex
OSDGPTBootDisk
OSDPartitions
OSDPartitionStyle

Cmdlets for Format and Partition Disk

Manage this step with the following PowerShell cmdlets:
 Get-CMTSStepPartitionDisk
New-CMTSStepPartitionDisk
Remove-CMTSStepPartitionDisk
Set-CMTSStepPartitionDisk
New-CMTSPartitionSetting

Properties for Format and Partition Disk

On the Properties tab for this step, configure the settings described in this section.

Disk Number

The physical disk number of the disk to format. The number is based on Windows disk
enumeration ordering.

In version 2010 and earlier, this number can't be larger than 99. In version 2103 and
later, the maximum number is 10,000. This change helps support storage area network
(SAN) scenarios.

Variable name to store disk number

Use a task sequence variable to specify the target disk to format. This variable option
supports more complex task sequences with dynamic behaviors. For example, a custom
script can detect the disk and set the variable based on the hardware type. Then you can
use multiple instances of this step to configure different hardware types and partitions.

If you select this property, enter a custom variable name. Add an earlier step in the task
sequence to set the value of this custom variable to an integer value for the physical
disk.

The following mock steps show one example:

Run PowerShell Script: a custom script to collect target disks

Sets myOSDisk to 1
Sets myDataDisk to 2

Format and Partition Disk for OS disk: specifies myOSDisk variable

Configures disk 1 as the system disk

Format and Partition Disk for data disk: specifies myDataDisk variable
Configures disk 2 for raw storage
A variation of this example uses disk numbers and partitioning plans for different
hardware types.

７ Note

You can still use the existing task sequence variable OSDDiskIndex. However, each
instance of the Format and Partition Disk step uses the same index value. If you
want to programmatically set the disk number for multiple instances of this step,
use this variable property.

Disk Type

The type of the disk to format. There are two options to select from the drop-down list:

Standard (MBR): Master Boot Record

GPT: GUID Partition Table

７ Note

If you change the disk type from Standard (MBR) to GPT, and the partition layout
contains an extended partition, the task sequence removes all extended and logical
partitions from the layout. The task sequence editor prompts to confirm this action
before changing the disk type.

Volume

Specific information about the partition or volume that the task sequence creates,
including the following attributes:

Name
Remaining disk space

To create a new partition, select New to launch the Partition Properties dialog box.
Specify the partition type and size, and if it's a boot partition. To modify an existing
partition, select the partition to be modified, and then select the Properties button. For
more information about how to configure hard drive partitions, see one of the following
articles:

UEFI/GPT-based hard drive partitions

BIOS/MBR-based hard drive partitions
To delete a partition, choose the partition, and then select Delete.

Install Application
This step installs the specified applications, or a set of applications defined by a dynamic
list of task sequence variables. When the task sequence runs this step, the application
installation begins immediately without waiting for a policy polling interval.

The applications must meet the following criteria:

The application must have a deployment type of Windows Installer or Script

installer. Windows app package (.appx file) deployment types aren't supported.

It must run under the Local System account and not the user account.

It must not interact with the desktop. The program must run silently or in an
unattended mode.

It must not initiate a restart on its own. The application must request a restart by
using the standard restart code, 3010. This behavior makes sure that this step
correctly handles the restart. If the application returns a 3010 exit code, the task
sequence engine restarts the computer. After the restart, the task sequence
automatically continues.

If the application checks for running executable files, the task sequence will fail to
install it. If you don't configure this step to continue on error, then the entire task
sequence fails.

It's not supported to install applications during an OS deployment task sequence when
the device also has policies assigned for Windows Defender Application Control. In this
scenario, you can't use these applications after the task sequence completes. To work
around this timing issue, deploy the applications after the task sequence completes.

７ Note

Starting in version 2107, when the following conditions are true, there's a seven-
minute delay before this step:

The task sequence is running from standalone media.

The previous step was Restart Computer.
The current Install Application step doesn't continue on error.
 In versions 2103 and earlier, the step would fail under these conditions. The task
sequence didn't properly evaluate that the app install was successful.

When this step runs, the application checks the applicability of the requirement rules
and detection method on its deployment types. Based on the results of this check, the
application installs the applicable deployment type. If a deployment type contains
dependencies, the dependent deployment type is evaluated and installed as part of this
step. Application dependencies aren't supported for stand-alone media.

７ Note

To install an application that supersedes another application, the content files for
the superseded application must be available. Otherwise this task sequence step
fails. For example, Microsoft Visio 2010 is installed on a client or in a captured
image. When the Install Application step installs Microsoft Visio 2013, the content
files for Microsoft Visio 2010 (the superseded application) must be available on a
distribution point. If Microsoft Visio isn't installed at all on a client or captured
image, the task sequence installs Microsoft Visio 2013 without checking for the
Microsoft Visio 2010 content files.

If you retire a superseded app, and the new app is referenced in a task sequence,
the task sequence fails to start.
This behavior is by design: the task sequence
requires all app references.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Software, and select
Install Application.

Variables for Install Application

Use the following task sequence variables with this step:

_TSAppInstallStatus
SMSTSMPListRequestTimeoutEnabled
SMSTSMPListRequestTimeout
TSErrorOnWarning

７ Note
 If the client fails to retrieve the management point list from location services, use
the SMSTSMPListRequestTimeoutEnabled and SMSTSMPListRequestTimeout task
sequence variables. These variables specify how many milliseconds a task sequence
waits before it retries installing an application. For more information, see Task
sequence variables.

Cmdlets for Install Application

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepInstallApplication
New-CMTSStepInstallApplication
Remove-CMTSStepInstallApplication
Set-CMTSStepInstallApplication

Properties for Install Application

On the Properties tab for this step, configure the settings that are described in this
section.

Install the following applications

The task sequence installs these applications in the specified order.

Configuration Manager filters out any disabled applications, or any applications with the
following settings:

Only when a user is logged on

Run with user rights

These applications don't appear in the Select the application to install dialog box.

Install applications according to dynamic variable list

The task sequence installs applications using this base variable name. The base variable
name is for a set of task sequence variables defined for a collection or computer. These
variables specify the applications that the task sequence installs for that collection or
computer. Each variable name consists of its common base name plus a numerical suffix
starting at 01. The value for each variable must contain the name of the application and
nothing else.
For the task sequence to install applications by using a dynamic variable list, enable the
following setting on the General tab of the application Properties: Allow this
application to be installed from the Install Application task sequence action instead of
deploying manually.

７ Note

You can't install applications by using a dynamic variable list for stand-alone media
deployments.

For example, to install a single application by using a task sequence variable called
AA01, specify the following variable:

Variable Name Variable Value

AA01 Microsoft Office

To install two applications, specify the following variables:

Variable Name Variable Value

AA01 Microsoft Lync

AA02 Microsoft Office

The following conditions affect the applications installed by the task sequence:

If the value of a variable contains any information other than the name of the
application. The task sequence doesn't install the application, and the task
sequence continues.

If the task sequence doesn't find a variable with the specified base name and "01"
suffix, the task sequence doesn't install any applications.

） Important

These values are case-sensitive. For example, "install" is different than "Install". If
you need to change the value, the task sequence editor doesn't detect a change of
case. Make another edit at the same time, for example, modify the step description.

If an application fails, continue installing other applications in the

list
This setting specifies that the step continues when an individual application installation
fails. If you specify this setting, the task sequence continues regardless of any installation
errors. If you don't specify this setting, and the installation fails, the step immediately
ends.

Clear application content from cache after installing

Delete the app content from the client cache after the step runs. This behavior is
beneficial on devices with small hard drives or when installing lots of large apps in
succession.

Options for Install Application

７ Note

When you select Continue on error on the Options tab of this step, the task
sequence continues when an application fails to install. When you don't enable this
option, the task sequence fails, and doesn't install remaining applications.

Besides the default options, configure the following additional settings on the Options
tab of this task sequence step:

Retry this step if computer unexpectedly restarts

If one of the application installations unexpectedly restarts the computer, retry this step.
The step enables this setting by default with two retries. You can specify from one to five
retries.

Install Package
Use this step to install a software package as part of the task sequence. When this step
runs, the installation begins immediately without waiting for a policy polling interval.

The package must meet the following criteria:

It must run under the Local System account and not a user account.

It shouldn't interact with the desktop. The program must run silently or in an
unattended mode.
 It must not initiate a restart on its own. The software must request a restart using
the standard restart code, 3010. This behavior makes sure that the task sequence
properly handles the restart. If the software does return a 3010 exit code, the task
sequence engine restarts the computer. After the restart, the task sequence
automatically continues.

Programs that use the Run another program first option to install a dependent
program aren't supported when deploying an OS. If you enable the package option Run
another program first, and the dependent program already ran on the destination
computer, the dependent program runs and the task sequence continues. However, if
the dependent program hasn't already run on the destination computer, the task
sequence step fails.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Software, and select
Install Package.

Known issue with Install Package step and standalone media

created at the central administration site
An error might occur if your task sequence includes the Install Package step and you
create the stand-alone media at a central administration site (CAS). The CAS doesn't
have the necessary client configuration policies. These policies are required to enable
the software distribution agent when the task sequence runs. The following error might
appear in the CreateTsMedia.log file: WMI method
SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, create the stand-alone
media at a primary site that has the software distribution agent enabled.

Alternatively, use a custom Run PowerShell Script step. Add it after the Setup Windows
and ConfigMgr step and before the first Install Package step. The Run PowerShell
Script step runs the following commands to enable the software distribution agent
before the first Install Package step:

PowerShell

$namespace = "root\ccm\policy\machine\requestedconfig"

$class = "CCM_SoftwareDistributionClientConfig"

$classArgs = @{

ComponentName = 'Enable SWDist'

Enabled = 'true'

LockSettings='TRUE'

 PolicySource='local'

PolicyVersion='1.0'

SiteSettingsKey='1'

Set-WmiInstance -Namespace $namespace -Class $class -Arguments $classArgs -

PutType CreateOnly

Variables for Install Package

Use the following task sequence variables with this step:

OSDDoNotLogCommand

Cmdlets for Install Package

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepInstallSoftware
New-CMTSStepInstallSoftware
Remove-CMTSStepInstallSoftware
Set-CMTSStepInstallSoftware

 Tip

Use content pre-caching to download an applicable OS upgrade package before a

user installs the task sequence. For more information, see Configure pre-cache
content.

Properties for Install Package

On the Properties tab for this step, configure the settings described in this section.

Install a single software package

This setting specifies a Configuration Manager software package. The step waits until
the installation completes.

Install software packages according to dynamic variable list

The task sequence installs packages using this base variable name. The base variable
name is for a set of task sequence variables defined for a collection or computer. These
variables specify the packages that the task sequence installs for that collection or
computer. Each variable name consists of its common base name plus a numerical suffix
starting at 001. The value for each variable must contain a package ID and the name of
the software separated by a colon.

For the task sequence to install software by using a dynamic variable list, enable the
following setting on the Advanced tab of the package Properties: Allow this program
to be installed from the Install Package task sequence without being deployed.

７ Note

You can't install software packages by using a dynamic variable list for stand-alone
media deployments.

For example, to install a single software package by using a task sequence variable
called AA001, you specify the following variable:

Variable Name Variable Value

AA001 CEN00054:Install

To install three software packages, you would specify the following variables:

Variable Name Variable Value

AA001 CEN00054:Install

AA002 CEN00107:Install Silent

AA003 CEN00031:Install

The following conditions affect the packages installed by the task sequence:

If you don't create the value of a variable in the correct format, or it doesn't specify
a valid package ID and name, the software installation fails.

If the package ID contains lowercase characters, the software installation fails.

If the task sequence doesn't find a variable with the specified base name and "001"
suffix, the task sequence doesn't install any packages. The task sequence
continues.

） Important
 These values are case-sensitive. For example, "install" is different than "Install". If
you need to change the value, the task sequence editor doesn't detect a change of
case. Make another edit at the same time, for example, modify the step description.

If installation of a software package fails, continue installing other

packages in the list

This setting specifies that the step continues if an individual software package
installation fails. If you specify this setting, the task sequence continues regardless of any
installation errors. If you don't specify this setting, and the installation fails, the step
immediately ends.

Install Software Updates

Use this step to install software updates on the destination computer. The destination
computer isn't evaluated for applicable software updates until this task sequence step
runs. At that time, the destination computer is evaluated for software updates like any
other Configuration Manager client. For this step to install software updates, first deploy
the updates to a collection of which the target computer is a member.

） Important

For best performance, install the latest version of the Windows Update Agent.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Software, and select
Install Software Updates.

Variables for Install Software Updates

Use the following task sequence variables with this step:

SMSInstallUpdateTarget
SMSTSMPListRequestTimeoutEnabled
SMSTSMPListRequestTimeout
SMSTSSoftwareUpdateScanTimeout
SMSTSWaitForSecondReboot

７ Note
 If the client fails to retrieve the management point list from location services, use
the SMSTSMPListRequestTimeoutEnabled and SMSTSMPListRequestTimeout
variables. These variables specify how many milliseconds a task sequence waits
before it retries installing an application or software update. For more information,
see Task sequence variables.

Cmdlets for Install Software Updates

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepInstallUpdate
New-CMTSStepInstallUpdate
Remove-CMTSStepInstallUpdate
Set-CMTSStepInstallUpdate

For more recommendations and a technical flow chart diagram for this step, see Install
Software Updates.

Properties for Install Software Updates

On the Properties tab for this step, configure the settings described in this section.

Required for installation - Mandatory software updates only

Select this option to install all mandatory software updates with administrator-defined
installation deadlines.

Available for installation - All software updates

Select this option to install all available software updates. First deploy these updates to a
collection of which the computer is a member. The task sequence installs all available
software updates on the destination computers.

Evaluate software updates from cached scan results

By default, this step uses cached scan results from the Windows Update Agent. Disable
this option to instruct the Windows Update Agent to download the latest catalog from
the software update point. Enable this option when using a task sequence to capture
and build an OS image. A large number of software updates is likely in this scenario.
Many of these updates have dependencies. For example, install update ABC before
update XYZ appears as applicable. When you disable this setting, and deploy the task
sequence to many clients, they all connect to the software update point at the same
time. This behavior results in performance issues during the process and download of
the update catalog.

In most circumstances, use the default setting to use cached scan results.

The SMSTSSoftwareUpdateScanTimeout variable controls the software updates scan

timeout during this step. The default value is 60 minutes. For more information, see Task
sequence variables.

Options for Install Software Updates

Besides the default options, configure the following additional settings on the Options
tab of this task sequence step:

Retry this step if computer unexpectedly restarts

If one of the updates unexpectedly restarts the computer, retry this step. The step
enables this setting by default with two retries. You can specify from one to five retries.

７ Note

Configure the SMSTSWaitForSecondReboot variable to specify how many seconds

the task sequence pauses after the computer restarts in this scenario. For more
information, see Task sequence variables.

Join Domain or Workgroup

Use this step to add the destination computer to a workgroup or domain.

７ Note

When an Azure Active Directory (Azure AD)-joined client runs an OS deployment

task sequence, the client in the new OS won't automatically join Azure AD. Even
though it's not Azure AD-joined, the client is still managed.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add, select General, and select Join
Domain or Workgroup.

Variables for Join Domain or Workgroup

Use the following task sequence variables with this step:

OSDJoinAccount
OSDJoinDomainName
OSDJoinDomainOUName
OSDJoinPassword
OSDJoinSkipReboot
OSDJoinType
OSDJoinWorkgroupName

Cmdlets for Join Domain or Workgroup

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepJoinDomainWorkgroup
New-CMTSStepJoinDomainWorkgroup
Remove-CMTSStepJoinDomainWorkgroup
Set-CMTSStepJoinDomainWorkgroup

Properties for Join Domain or Workgroup

On the Properties tab for this step, configure the settings described in this section.

Join a workgroup

Select this option to have the destination computer join the specified workgroup. If the
computer is currently a member of a domain, selecting this option causes the computer
to reboot.

Join a domain

Select this option to have the destination computer join the specified domain.

Optionally, enter or browse for an organizational unit (OU) in the specified domain for
the computer to join. If the computer is currently a member of some other domain or a
workgroup, this option causes the computer to reboot. If the computer is already a
member of another OU, since Active Directory Domain Services doesn't allow changing
the OU via this method, Windows Setup ignores this setting.

Enter the account which has permission to join the domain

Select Set to enter the username and password for an account with permissions to join
the domain. Enter the account in the format: Domain\account . For more information on
the task sequence domain joining account, see Accounts.

Prepare ConfigMgr Client for Capture

Use this step to remove or configure the Configuration Manager client on the reference
computer. This action prepares the computer for capture as part of the imaging process.

This step completely removes the Configuration Manager client, instead of only
removing key information. When the task sequence deploys the captured OS image, it
installs a new Configuration Manager client each time.

 Tip

By default, the task sequence engine only removes the client during the Build and
capture a reference operating system image task sequence. The task sequence
engine doesn't remove the client during other capture methods, such as capture
media or a custom task sequence. You can overide this behavior for an OS
deployment task sequence. Set the task sequence variable
SMSTSUninstallCCMClient to TRUE before the Prepare ConfigMgr Client for
Capture step. This variable and behavior only applies to OS deployment task
sequences. It removes the client after the next restart of the device.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Images, and select
Prepare ConfigMgr Client for Capture.

Variables for Prepare ConfigMgr Client for Capture

Use the following task sequence variables with this step:

SMSTSUninstallCCMClient
Cmdlets for Prepare ConfigMgr Client for Capture
Manage this step with the following PowerShell cmdlets:

Get-CMTSStepPrepareConfigMgrClient
New-CMTSStepPrepareConfigMgrClient
Remove-CMTSStepPrepareConfigMgrClient
Set-CMTSStepPrepareConfigMgrClient

Prepare Windows for Capture

Use this step to specify the Sysprep options when capturing an OS image on the
reference computer. This step runs Sysprep, and then reboots the computer into the
Windows PE boot image specified for the task sequence. This action fails if the reference
computer is joined to a domain.

This step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Images, and select
Prepare Windows for Capture.

Variables for Prepare Windows for Capture

Use the following task sequence variables with this step:

OSDKeepActivation
OSDTargetSystemRoot

Cmdlets for Prepare Windows for Capture

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepPrepareWindows
New-CMTSStepPrepareWindows
Remove-CMTSStepPrepareWindows
Set-CMTSStepPrepareWindows

Properties for Prepare Windows for Capture

On the Properties tab for this step, configure the settings described in this section.
Automatically build mass storage driver list
Select this option to have Sysprep automatically build a list of mass storage drivers from
the reference computer. This option enables the Build Mass Storage Drivers option in
the sysprep.inf file on the reference computer. For more information about this setting,
see the Sysprep documentation.

Do not reset activation flag

Select this option to prevent Sysprep from resetting the product activation flag.

Shut down the computer after running this action

This option instructs Sysprep to shutdown the computer instead of its default restart
behavior.

The Windows Autopilot for existing devices task sequence uses this step with this
option.

If you want the task sequence to refresh the device and then immediately start
OOBE for Autopilot, leave this option off.

Enable this option to shut down the device after imaging. Then you can deliver the
device to a user, who starts OOBE with Autopilot when they turn it on for the first
time.

Pre-provision BitLocker
Use this step to enable BitLocker on a drive while in Windows PE. By default, only the
used drive space is encrypted, so encryption times are much faster. You apply the key
management options by using the Enable BitLocker step after the OS installs.

） Important

Pre-provisioning BitLocker requires that the computer has a supported and enabled
Trusted Platform Module (TPM).

This step runs only in Windows PE. It doesn't run in the full OS.

To add this step in the task sequence editor, select Add, select Disks, and select Pre-
provision BitLocker.
Cmdlets for Pre-provision BitLocker
Manage this step with the following PowerShell cmdlets:

Get-CMTSStepOfflineEnableBitLocker
New-CMTSStepOfflineEnableBitLocker
Remove-CMTSStepOfflineEnableBitLocker
Set-CMTSStepOfflineEnableBitLocker

Properties for Pre-provision BitLocker

On the Properties tab for this step, configure the settings described in this section.

Apply BitLocker to the specified drive

Specify the drive for which you want to enable BitLocker. BitLocker only encrypts the
used space on the drive.

Disk encryption mode (Pre-provision BitLocker)

Select one of the following encryption algorithms:

AES_128
AES_256
XTS_AES256
XTS_AES128

By default or if not specified, the step continues to use the default encryption method
for the OS version. If the step runs on a version of Windows that doesn't support the
specified algorithm, it falls back to the OS default. In this circumstance, the task
sequence engine sends status message 11911.

Use full disk encryption (Pre-provision BitLocker)

By default, this step only encrypts used space on the drive. This default behavior is
recommended, as it's faster and more efficient. If your organization requires encrypting
the entire drive during setup, then enable this option. Windows Setup waits for the
entire drive to encrypt, which takes a long time, especially on large drives.

Skip this step for computers that do not have a TPM or when TPM
is not enabled (Pre-provision BitLocker)
Select this option to skip drive encryption on a computer that doesn't contain a
supported or enabled TPM. For example, use this option when you deploy an OS to a
virtual machine. By default, this setting is enabled for the Pre-provision BitLocker step.
The step fails on a device without a TPM or a TPM that doesn't initialize. If the device
doesn't have a functional TPM, the task sequence engine logs a warning to smsts.log
and sends status message 11912.

Release State Store

Use this step to notify the state migration point that the capture or restore action is
complete. Use this step in conjunction with the Request State Store, Capture User State,
and Restore User State steps. You use these steps to migrate user state data using a
state migration point and the User State Migration Tool (USMT).

For more information about managing the user state when deploying operating
systems, see Manage user state.

If you use the Request State Store step to request access to a state migration point to
capture user state, this step notifies the state migration point that the capture process is
complete. The state migration point then marks the user state data as available for
restore. The state migration point sets the access control permissions for the user state
data so that only the restoring computer has read-only access.

If you use the Request State Store step to request access to a state migration point to
restore user state, this step notifies the state migration point that the restore process is
complete. The state migration point then activates its configured data retention settings.

） Important

Set the Continue on Error option for any steps between the Request State Store
and Release State Store steps. Every Request State Store step must have a
matching Release State Store step.

This step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select User State, and select
Release State Store.

Variables for Release State Store

Use the following task sequence variables with this step:
 OSDStateStorePath

Cmdlets for Release State Store

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepReleaseStateStore
New-CMTSStepReleaseStateStore
Remove-CMTSStepReleaseStateStore
Set-CMTSStepReleaseStateStore

Properties for Release State Store

This step doesn't require any settings on the Properties tab.

Request State Store

Use this step to request access to a state migration point when capturing or restoring
state.

For more information about managing the user state when deploying operating
systems, see Manage user state.

Use this step in conjunction with the Release State Store, Capture User State, and
Restore User State steps. You use these steps to migrate computer state using a state
migration point and the User State Migration Tool (USMT).

７ Note

When creating a new state migration point, user state storage isn't available for up
to one hour. To expedite availability, adjust any property settings on the state
migration point to trigger a site control file update.

This step runs in the full OS and in Windows PE for offline USMT.

To add this step in the task sequence editor, select Add, select User State, and select
Request State Store.

Variables for Request State Store

Use the following task sequence variables with this step:
 OSDStateFallbackToNAA
OSDStateSMPRetryCount
OSDStateSMPRetryTime
OSDStateStorePath

Cmdlets for Request State Store

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepRequestStateStore
New-CMTSStepRequestStateStore
Remove-CMTSStepRequestStateStore
Set-CMTSStepRequestStateStore

Properties for Request State Store

On the Properties tab for this step, configure the settings described in this section.

Capture state from the computer

Find a state migration point that meets the minimum requirements as configured in the
state migration point settings. For example, Maximum number of clients and Minimum
amount of free disk space. This option doesn't guarantee sufficient space is available at
the time of state migration. This option requests access to the state migration point for
the purpose of capturing the user state and settings from a computer.

If the Configuration Manager site has multiple active state migration points, this step
finds a state migration point with available disk space. The task sequence queries the
management point for a list of state migration points, and then evaluates each until it
finds one that meets the minimum requirements.

Restore state from another computer

Request access to a state migration point to restore previously captured user state and
settings to a destination computer.

If there are multiple state migration points, this step finds the state migration point that
has the state for the destination computer.

Number of retries
The number of times that this step tries to find an appropriate state migration point
before failing.

Retry delay (in seconds)

The amount of time in seconds that the task sequence step waits between retry
attempts.

If computer account fails to connect to a state store, use the

network access account

If the task sequence can't access the state migration point using the computer account,
it uses the network access account credentials to connect. This option is less secure
because other computers could use the network access account to access the stored
state. This option might be necessary if the destination computer isn't domain joined.

Restart Computer
Use this step to restart the computer running the task sequence. After the restart, the
computer automatically continues with the next step in the task sequence.

This step can be run in either the full OS or Windows PE.

To add this step in the task sequence editor, select Add, select General, and select
Restart Computer.

Variables for Restart Computer

Use the following task sequence variables with this step:

SMSRebootMessage
SMSRebootTimeout

Cmdlets for Restart Computer

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepReboot
New-CMTSStepReboot
Remove-CMTSStepReboot
Set-CMTSStepReboot
Properties for Restart Computer
On the Properties tab for this step, configure the settings described in this section.

The boot image assigned to this task sequence

Select this option for the destination computer to use the boot image assigned to the
task sequence. The task sequence uses the boot image to run subsequent steps in
Windows PE.

The currently installed default operating system

Select this option for the destination computer to reboot into the installed OS.

Notify the user before restarting

Select this option to display a notification to the user before the destination computer
restarts. The step selects this option by default.

Notification message

Enter a notification message to display to the user before the destination computer
restarts.

Message display time-out

Specify the amount of time in seconds before the destination computer restarts. The
default is 60 seconds.

Restore User State

Use this step to initiate the User State Migration Tool (USMT) to restore user state and
settings to the destination computer. You use this step in conjunction with the Capture
User State step.

For more information about managing the user state when deploying operating
systems, see Manage user state.

Use this step with the Request State Store and Release State Store steps to save or
restore the state settings with a state migration point. This option always decrypts the
USMT state store by using an encryption key that Configuration Manager generates and
manages.

Starting in version 2103, this step and the Capture User State step use the current
highest supported encryption algorithm, AES 256.

） Important

If you have any active user state migrations, before you update the Configuration
Manager client on those devices, restore the user state. Otherwise, the updated
client will fail to restore the user state when it tries to use a different encryption
algorithm. If necessary, you can manually restore the user state and explicitly use
the USMT parameter /decrypt:3DES .

The Restore User State step provides control over a limited subset of the most
commonly used USMT options. Specify additional command-line options with the
OSDMigrateAdditionalRestoreOptions variable.

） Important

If you're using this step for a purpose unrelated to an OS deployment scenario, add
the Restart Computer step immediately following the Restore User State step.

This step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select User State, and select
Restore User State.

Variables for Restore User State

Use the following task sequence variables with this step:

_OSDMigrateUsmtRestorePackageID
OSDMigrateAdditionalRestoreOptions
OSDMigrateContinueOnRestore
OSDMigrateEnableVerboseLogging
OSDMigrateLocalAccounts
OSDMigrateLocalAccountPassword
OSDStateStorePath

Cmdlets for Restore User State

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepRestoreUserState
New-CMTSStepRestoreUserState
Remove-CMTSStepRestoreUserState
Set-CMTSStepRestoreUserState

Properties for Restore User State

On the Properties tab for this step, configure the settings described in this section.

User state migration tool package

Specify the package that contains the version of USMT for this step to use. This package
doesn't require a program. When the step runs, the task sequence uses the version of
USMT in the specified package. Specify a package containing the 32-bit or 64-bit
version of USMT. The architecture of USMT depends upon the architecture of the OS to
which the task sequence is restoring state.

Restore all captured user profiles with standard options

Restores the captured user profiles with the standard options. To customize the options
that USMT restores, select Customize user profile capture.

Customize how user profiles are restored

Allows you to customize the files that you want to restore to the destination computer.
Select Files to specify the configuration files in the USMT package you want to use for
restoring the user profiles. To add a configuration file, enter the name of the file in the
Filename box, and then select Add. The Files pane lists the configuration files that USMT
uses. The .xml file you specify defines which user file USMT restores.

Restore local computer user profiles

Restores the local computer user profiles. These profiles aren't for domain users. Assign
new passwords to the restored local user accounts. USMT can't migrate the original
passwords. Enter the new password in the Password box, and confirm the password in
the Confirm Password box.

Continue if some files cannot be restored

Continues restoring user state and settings even if USMT is unable to restore some files.
The step enables this option by default. If you disable this option, and USMT encounters
errors while restoring files, this step fails immediately. USMT doesn't restore all files.

Enable verbose logging

Enable this option to generate more detailed log file information. When restoring state,
the task sequence by default generates Loadstate.log in the task sequence log folder,
%WinDir%\ccm\logs .

Run Command Line

Use this step to run the specified command line.

The command being run must meet the following criteria:

It shouldn't interact with the desktop. The command must run silently or in an
unattended mode.

It must not initiate a restart on its own. The command must request a restart using
the standard restart code, 3010. This behavior makes sure that the task sequence
properly handles the restart. If the command does return a 3010 exit code, the task
sequence engine restarts the computer. After the restart, the task sequence
automatically continues.

This step can be run in the full OS or Windows PE.

To add this step in the task sequence editor, select Add, select General, and select Run
Command Line.

Variables for Run Command Line

Use the following task sequence variables with this step:

OSDDoNotLogCommand
SMSTSDisableWow64Redirection
SMSTSRunCommandLineUserName
SMSTSRunCommandLineUserPassword
SMSTSRunCommandLineAsUser
WorkingDirectory

Cmdlets for Run Command Line

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepRunCommandLine
New-CMTSStepRunCommandLine
Remove-CMTSStepRunCommandLine
Set-CMTSStepRunCommandLine

Properties for Run Command Line

On the Properties tab for this step, configure the settings described in this section.

Command line

Specifies the command line that the task sequence runs. This field is required. Include
file name extensions, for example, .vbs and .exe. Include all required settings files and
command-line options.

If you don't specify the file name extension, Configuration Manager tries .com, .exe, and
.bat. If the file name has an extension that's not an executable type, Configuration
Manager tries to apply a local association. For example, if the command line is
readme.gif, Configuration Manager starts the application specified on the destination
computer for opening .gif files.

Examples:

setup.exe /a

cmd.exe /c copy Jan98.dat c:\sales\Jan98.dat

７ Note

To run successfully, precede command-line actions with the cmd.exe /c command.

Example of these actions include output redirection, piping, and copy commands.

Output to task sequence variable

Use this setting to save the command output to a custom task sequence variable.

７ Note

Configuration Manager limits this output to the last 1000 characters.

Disable 64-bit file system redirection
By default, 64-bit operating systems use the WOW64 file system redirector to run
command lines. This behavior is to properly find 32-bit versions of OS executables and
libraries. Select this option to disable the use of the WOW64 file system redirector.
Windows runs the command using native 64-bit versions of OS executables and
libraries. This option has no effect when running on a 32-bit OS.

Start in

Specifies the executable folder for the program, up to 127 characters. This folder can be
an absolute path on the destination computer or a path relative to the distribution point
folder that contains the package. This field is optional.

Examples:

c:\officexp

i386

７ Note

The Browse button browses the local computer for files and folders. Anything you
select must also exist on the destination computer. It must exist in the same
location and with the same file and folder names.

Package
When you specify files or programs on the command line that aren't already present on
the destination computer, select this option to specify the Configuration Manager
package that contains the necessary files. The package doesn't require a program. If the
specified files exist on the destination computer, this option isn't required.

Time-out
Specifies a value that represents how long Configuration Manager allows the command
line to run. This value can be from one minute to 999 minutes. The default value is 15
minutes. This option is disabled by default.

） Important
 If you enter a value that doesn't allow enough time for the specified command to
complete successfully, this step fails. The entire task sequence could fail depending
on step or group conditions. If the time-out expires, Configuration Manager
terminates the command-line process.

Run this step as the following account

Specifies that the command line is run as a Windows user account other than the Local
System account.

７ Note

To run simple scripts or commands with another account after installing the OS,
first add the account to the computer. Additionally, you may need to restore
Windows user profiles to run more complex programs, such as a Windows Installer.

Account

Specifies the Windows user account this step uses to run the command line. The
command line runs with the permissions of the specified account. Select Set to specify
the local user or domain account. For more information on the task sequence run-as
account, see Accounts.

） Important

If this step specifies a user account and runs in Windows PE, the action fails. You
can't join Windows PE to a domain. The smsts.log file records this failure.

Options for Run Command Line

Besides the default options, configure the following additional settings on the Options
tab of this task sequence step:

Success codes

Include other exit codes from the script that the step should evaluate as success.

Run PowerShell Script

Use this step to run the specified Windows PowerShell script.

The script must meet the following criteria:

It shouldn't interact with the desktop. The script must run silently or in an
unattended mode.

It must not initiate a restart on its own. The script must request a restart using the
standard restart code, 3010. This behavior makes sure that the task sequence
properly handles the restart. If the script does return a 3010 exit code, the task
sequence engine restarts the computer. After the restart, the task sequence
automatically continues.

Use signed PowerShell scripts in Unicode format. ANSI format, which is the default,
doesn't work with this step.

This step can be run in the full OS or Windows PE. To run this step in Windows PE,
enable PowerShell in the boot image. Enable the WinPE-PowerShell component from
the Optional Components tab in the properties for the boot image. For more
information about how to modify a boot image, see Manage boot images.

７ Note

PowerShell isn't enabled by default on Windows Embedded operating systems.

２ Warning

Some antimalware software may inadvertently trigger events for this task sequence
step. To allow these scripts to run without interference, configure the antimalware
software to exclude %windir%\temp\smstspowershellscripts .

To add this step in the task sequence editor, select Add, select General, and select Run
PowerShell Script.

Variables for Run PowerShell Script

Use the following task sequence variables with this step:

OSDLogPowerShellParameters
SMSTSRunPowerShellAsUser
SMSTSRunPowerShellUserName
SMSTSRunPowerShellUserPassword
Cmdlets for Run PowerShell Script
Manage this step with the following PowerShell cmdlets:

Get-CMTSStepRunPowerShellScript
New-CMTSStepRunPowerShellScript
Remove-CMTSStepRunPowerShellScript
Set-CMTSStepRunPowerShellScript

Properties for Run PowerShell Script

On the Properties tab for this step, configure the settings described in this section.

Package

Specify the Configuration Manager package that contains the PowerShell script. One
package can contain multiple PowerShell scripts.

Script name
Specifies the name of the PowerShell script to run. This field is required.

Enter a PowerShell script

Directly enter Windows PowerShell code in this step. This feature lets you run
PowerShell commands during a task sequence without first creating and distributing a
package with the script.

When you add or edit a script, the PowerShell script window provides the following
actions:

Edit the script directly

Open an existing script from file

Browse to an existing approved script in Configuration Manager

Parameters

Specifies the parameters passed to the PowerShell script. These parameters are the
same as the PowerShell script parameters on the command line.
Provide parameters consumed by the script, not for the Windows PowerShell command
line.

The following example contains valid parameters:

-MyParameter1 MyValue1 -MyParameter2 MyValue2

The following example contains invalid parameters. The first two items are Windows
PowerShell command-line parameters (-NoLogo and -ExecutionPolicy Unrestricted).
The script doesn't consume these parameters.

-NoLogo -ExecutionPolicy Unrestricted -File MyScript.ps1 -MyParameter1 MyValue1 -

MyParameter2 MyValue2

If a parameter value includes a special character or a space, use single quotation marks
( ' ) around the value. Using double quotation marks ( " ) may cause the task sequence
step to incorrectly process the parameter.

For example: -Arg1 '%TSVar1%' -Arg2 '%TSVar2%'

You can also set this property to a variable. For example, if you specify
%MyScriptVariable% , when the task sequence runs the script, it adds the value of this

custom variable to the PowerShell command line.

PowerShell execution policy

Determine which PowerShell scripts (if any) you allow to run on the computer. Choose
one of the following execution policies:

AllSigned: Only run scripts signed by a trusted publisher.

Undefined: Don't define any execution policy.

Bypass: Load all configuration files and run all scripts. If you download an unsigned
script from the internet, Windows PowerShell doesn't prompt for permission
before running the script.

） Important

PowerShell 1.0 doesn't support Undefined and Bypass execution policies.

Output to task sequence variable

Save the script output to a custom task sequence variable.

７ Note

Configuration Manager limits this output to the last 1000 characters.

For an example of how to use this step property, see How to set variables.

Start in

Specify the starting folder for the script, up to 127 characters. This folder can be an
absolute path on the destination computer or a path relative to the distribution point
folder that contains the package. This field is optional.

７ Note

The Browse button browses the local computer for files and folders. Anything you
select must also exist on the destination computer. It must exist in the same
location and with the same file and folder names.

Time-out
Specify a value that represents how long Configuration Manager allows the PowerShell
script to run. This value can be from one minute to 999 minutes. The default value is 15
minutes. This option is disabled by default.

） Important

If you enter a value that doesn't allow enough time for the specified script to
complete successfully, this step fails. The entire task sequence could fail depending
on step or group conditions. If the time-out expires, Configuration Manager
terminates the PowerShell process.

Run this step as the following account

Specify that the PowerShell script is run as a Windows user account other than the Local
System account.

７ Note
 To run simple scripts or commands with another account after installing the OS,
first add the account to the computer. Additionally, you may need to restore
Windows user profiles to run more complex actions.

Account
Specify the Windows user account this step uses to run the PowerShell script. The
specified account must be a local administrator on the system and the script runs with
the permissions of this account. Select Set to specify the local user or domain account.
For more information on the task sequence run-as account, see Accounts.

） Important

If this step specifies a user account and runs in Windows PE, the action fails. You
can't join Windows PE to a domain. The smsts.log file records this failure.

Options for Run PowerShell Script

Besides the default options, configure the following additional settings on the Options
tab of this task sequence step:

Success codes

Include other exit codes from the script that the step should evaluate as success.

Run Task Sequence

This step runs another task sequence. It creates a parent-child relationship between the
task sequences. With child task sequences, you can create more modular, reusable task
sequences.

To add this step in the task sequence editor, select Add, select General, and select Run
Task Sequence.

Specifications and limitations for Run Task Sequence

Consider the following points when you add a child task sequence to a task sequence:
 The parent and child task sequences are effectively combined into a single policy
that the client runs.

The environment is global. If the parent task sequence sets a variable, and then the
child task sequence changes that variable, it retains the latest value. If the child
task sequence creates a new variable, it's available for the rest of the parent task
sequence.

Status messages are sent per normal for a single task sequence operation.

The task sequence writes entries to the smsts.log file, with new log entries that
make it clear when a child task sequence starts.

You can't select a task sequence with a boot image reference. For any deployment
that requires a boot image, specify it on the parent task sequence.

If a child task sequence is disabled, the deployment fails. You can't use the
Continue on error option to work around this limitation.

If a child task sequence contains steps that are considered high impact, Software
Center doesn't detect it and show the high-impact notification. Modify the
properties of the parent task sequence, on the User Notification tab, to specify that
This is a high-impact task sequence.

If a child task sequence has a missing package reference, viewing the parent task
sequence doesn't detect this state. If you edit the parent task sequence, it detects
any missing references in child task sequences when you make changes to the
parent.

Cmdlets for Run Task Sequence

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepRunTaskSequence
New-CMTSStepRunTaskSequence
Remove-CMTSStepRunTaskSequence
Set-CMTSStepRunTaskSequence

Properties for Run Task Sequence

On the Properties tab for this step, configure the settings described in this section.

Select task sequence to run

Select Browse to select the child task sequence. The Select a Task Sequence dialog box
doesn't display the parent task sequence.

Set Dynamic Variables

Use this step to perform the following actions:

1. Gather information from the computer and its environment. Then set specified task
sequence variables with the information.

2. Evaluate defined rules. Set task sequence variables based on the rules that evaluate
to true.

This step can be run in either the full OS or Windows PE.

To add this step in the task sequence editor, select Add, select General, and select Set
Dynamic Variables.

Variables for Set Dynamic Variables

The task sequence automatically sets the following read-only task sequence variables:

_SMSTSMake
_SMSTSModel
_SMSTSMacAddresses
_SMSTSIPAddresses
_SMSTSSerialNumber
_SMSTSAssetTag
_SMSTSUUID

Cmdlets for Set Dynamic Variables

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepSetDynamicVariable
New-CMTSStepSetDynamicVariable
Remove-CMTSStepSetDynamicVariable
Set-CMTSStepSetDynamicVariable
New-CMTSRule

Properties for Set Dynamic Variables

On the Properties tab for this step, configure the settings described in this section.

Dynamic rules and variables

To set a dynamic variable for use in the task sequence, add a rule. Then set a value for
each variable specified in the rule. Additionally, add one or more variables without
adding a rule. When you add a rule, choose from the following categories:

Computer: Evaluate values for hardware asset tag, UUID, serial number, or MAC
address. Set multiple values as necessary. If any value is true, then the rule
evaluates as true. For example, the following rule evaluates as true if the device
serial number is 5892087 and the MAC address is 22-A4-5A-13-78-26:

IF Serial Number = 5892087 OR MAC address = 26-78-13-5A-A4-22 THEN

Location: Evaluate values for the default network gateway

Make and Model: Evaluate values for the make and model of a computer. Both the
make and model must evaluate to true for the rule to evaluate to true.

Specify an asterisk ( * ) and question mark ( ? ) as wild cards characters. The asterisk
matches multiple characters and the question mark matches a single character. For
example, the string DELL*900? matches both DELL-ABC-9001 and DELL9009 .

Task Sequence Variable: Add a task sequence variable, condition, and value to
evaluate. The conditions are the same as for step conditions. The rule evaluates to
true when the value set for the variable meets the specified condition.

Specify one or more variables to set for a rule that evaluates to true, or set
variables without using a rule. Select an existing variable, or create a custom
variable.

Existing task sequence variables: Select one or more variables from a list of
existing task sequence variables. Array variables aren't available to select.

Custom task sequence variables: Define a custom task sequence variable. You
can also specify an existing task sequence variable. This setting is useful to
specify an existing variable array, such as OSDAdapter, since variable arrays
aren't in the list of existing task sequence variables.

After you select the variables for a rule, provide a value for each variable. The variable is
set to the specified value when the rule evaluates to true. For each variable, you can
select Do not display this value to hide the value of the variable. By default, some
existing variables hide values, such as the OSDCaptureAccountPassword variable.
 ） Important

When you import a task sequence with the Set Dynamic Variables step,
Configuration Manager removes any variable values marked as Do not display this
value. After you import the task sequence, re-enter the value for the dynamic
variable.

When you use the option Do not display this value, the value of the variable isn't
displayed in the task sequence editor. The task sequence log file (smsts.log) or the task
sequence debugger won't show the variable value either. The variable can still be used
by the task sequence when it runs. If you no longer want these variables to be hidden,
delete them first. Then redefine the variables without selecting the option to hide them.

２ Warning

If you include variables in the Run Command Line step's command line, the task
sequence log file displays the full command line including the variable values. To
prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .

Set Task Sequence Variable

Use this step to set the value of a variable that's used with the task sequence.

This step can be run in either the full OS or Windows PE.

To add this step in the task sequence editor, select Add, select General, and select Set
Task Sequence Variable.

Variables for Set Task Sequence Variable

Task sequence variables are read by task sequence actions and specify the behavior of
those actions. For more information about specific task sequence variables and how to
use them, see the following articles:

How to use task sequence variables

Task sequence variables

Cmdlets for Set Task Sequence Variable

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepSetVariable
New-CMTSStepSetVariable
Remove-CMTSStepSetVariable
Set-CMTSStepSetVariable

Properties for Set Task Sequence Variable

On the Properties tab for this step, configure the settings described in this section.

Task sequence variable

Specify the name of a task sequence built-in or action variable, or specify your own
user-defined variable name.

Do not display this value

Enable this option to mask sensitive data stored in task sequence variables. For example,
when specifying a password.

７ Note

Enable this option and then set the value of the task sequence variable. Otherwise
the variable value isn't set as you intend, which may cause unexpected behaviors
when the task sequence runs.

When you use the option Do not display this value, the value of the variable isn't
displayed in the task sequence editor. The task sequence log file (smsts.log) or the task
sequence debugger won't show the variable value either. The variable can still be used
by the task sequence when it runs. If you no longer want this variable to be hidden,
delete it first. Then redefine the variable without selecting the option to hide it.

２ Warning

If you include variables in the Run Command Line step's command line, the task
sequence log file displays the full command line including the variable values. To
prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .
Value
The task sequence sets the variable to this value. Set this task sequence variable to the
value of another task sequence variable with the syntax %varname% .

Setup Windows and ConfigMgr

Use this step to perform the transition from Windows PE to the new OS. This task
sequence step is a required part of any OS deployment. It installs the Configuration
Manager client into the new OS, and prepares for the task sequence to continue
execution in the new OS.

This step is responsible for transitioning the task sequence from Windows PE to the full
OS. The step runs both in Windows PE and the full OS because of this transition.
However, since the transition starts in Windows PE, it can only be added during the
Windows PE portion of the task sequence.

This step replaces sysprep.inf or unattend.xml directory variables, such as %WINDIR% and
%ProgramFiles% , with the Windows PE installation directory, X:\Windows . The task

sequence ignores variables specified by using these environment variables.

To add this step in the task sequence editor, select Add, select Images, and select Setup
Windows and ConfigMgr.

Behaviors for Setup Windows and ConfigMgr

This step performs the following actions:

Preliminaries: Windows PE

1. Substitute task sequence variables in the unattend.xml file.

2. Download the package that contains the Configuration Manager client. Add the
package to the deployed image.

Set up Windows
Image-based installation

1. Disable the Configuration Manager client in the image, if it exists. In other

words, disable Autostart for the Configuration Manager client service.
 2. Update the registry in the deployed image to start the deployed OS with the
same drive letter as the reference computer.

3. Restart to the deployed OS.

4. Windows mini-setup runs by using the previously specified sysprep.inf or

unattend.xml answer file that has all end-user interaction suppressed. If you
use the Apply Network Settings step to join a domain, then that information
is in the answer file. Windows mini-setup joins the computer to the domain.

Setup.exe-based installation. Runs Setup.exe that follows the typical Windows

setup process:

1. Copy the OS upgrade package, specified in the Apply Operating System

step, to the hard disk drive.

2. Restart to the newly deployed OS.

3. Windows mini-setup runs by using the previously specified sysprep.inf or

unattend.xml answer file that has all user interface settings suppressed. If you
use the Apply Network Settings step to join a domain, then that information
is in the answer file. Windows mini-setup joins the computer to the domain.

Set up the Configuration Manager client

1. After Windows mini-setup finishes, the task sequence resumes by using
setupcomplete.cmd. For more information, see Run a script after setup is complete
(SetupComplete.cmd).

2. Enable or disable the local Administrator account, based on the option selected in
the Apply Windows Settings step.

3. Install the Configuration Manager client by using the previously downloaded

package, and installation properties specified in this step. The client installs in
"provisioning mode". This mode prevents the client from processing new policy
requests until the task sequence completes. For more information, see Provisioning
mode.

4. Wait for the client to be fully operational.

The step completes

The task sequence continues running the next step.

 ７ Note

Windows group policy normally doesn't process until after the task sequence is
complete. This behavior is consistent across different versions of Windows. Other
custom actions during the task sequence can trigger group policy evaluation. For
more information on the order of operations, see Run a script after setup is
complete (SetupComplete.cmd).

Variables for Setup Windows and ConfigMgr

Use the following task sequence variables with this step:

SMSClientInstallProperties

Cmdlets for Setup Windows and ConfigMgr

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepSetupWindowsAndConfigMgr
New-CMTSStepSetupWindowsAndConfigMgr
Remove-CMTSStepSetupWindowsAndConfigMgr
Set-CMTSStepSetupWindowsAndConfigMgr

Properties for Setup Windows and ConfigMgr

On the Properties tab for this step, configure the settings described in this section.

Client package

Select Browse, then choose the Configuration Manager client installation package to
use with this step.

Use pre-production client package when available

If there's a pre-production client package available, and the computer is a member of

the piloting collection, the task sequence uses this package instead of the production
client package. The pre-production client is a newer version for testing in the production
environment. Select Browse, then choose the pre-production client installation package
to use with this step.
Installation Properties
The task sequence step automatically specifies site assignment and the default
configuration. Use this field to specify any additional installation properties to use when
you install the client. To enter multiple installation properties, separate them with a
space.

Specify command-line options to use during client installation. For example, enter
/skipprereq: silverlight.exe to inform CCMSetup.exe to not install the Microsoft

Silverlight prerequisite. For more information about available command-line options for
CCMSetup.exe, see About client installation properties.

When you run an OS deployment task sequence on an internet-based client, that's

either Azure AD-joined or uses token-based authentication, you need to specify the
CCMHOSTNAME property in the Setup Windows and ConfigMgr step. For example,
CCMHOSTNAME=OTTERFALLS.CLOUDAPP.NET/CCM_Proxy_MutualAuth/12345678907927939 .

Options for Setup Windows and ConfigMgr

７ Note

Don't enable Continue on error on the Options tab. If there's an error during this
step, the task sequence fails whether or not you enable this setting.

Upgrade Operating System

Use this step to upgrade an earlier version of Windows to a later version of Windows.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.

To add this step in the task sequence editor, select Add, select Images, and select
Upgrade Operating System.

 Tip

Windows 11 and Windows 10 media include multiple editions. When you configure
a task sequence to use an OS upgrade package or OS image, be sure to select a
supported edition.

Use content pre-caching to download an applicable OS upgrade package before a

user installs the task sequence. For more information, see Configure pre-cache
 content.

Variables for Upgrade OS

Use the following task sequence variables with this step:

_SMSTSOSUpgradeActionReturnCode
SetupCompletePause
OSDSetupAdditionalUpgradeOptions

Cmdlets for Upgrade OS

Manage this step with the following PowerShell cmdlets:

Get-CMTSStepUpgradeOperatingSystem
New-CMTSStepUpgradeOperatingSystem
Remove-CMTSStepUpgradeOperatingSystem
Set-CMTSStepUpgradeOperatingSystem

Properties for Upgrade OS

On the Properties tab for this step, configure the settings described in this section.

Upgrade package

Select this option to specify the Windows OS upgrade package to use for the upgrade.

Source path

Specifies a local or network path to the Windows media that Windows Setup uses. This
setting corresponds to the Windows Setup command-line option /InstallFrom .

You can also specify a variable, such as %MyContentPath% or %DPC01% . When you use a
variable for the source path, set its value earlier in the task sequence. For example, use
the Download Package Content step to specify a variable for the location of the OS
upgrade package. Then, use that variable for the source path for this step.

Edition

Specify the edition within the OS media to use for the upgrade.
Product key
Specify the product key to apply to the upgrade process.

Install the following feature updates

Starting in version 2103, select this option to upgrade a client's Windows OS by using a
feature update. This option uses content that you synchronize through the software
update point. The size of the servicing ESD file is generally smaller than the OS upgrade
package and WIM image file.

Select the new button (gold asterisk), and add a feature update.

７ Note

You can only add feature updates.

If your environment supports multiple languages or architectures, add multiple feature

updates to the step. The client uses the first applicable update that's not superseded by
any other deployed updates.

The user experience with a feature update in a task sequence is the same as with an OS
upgrade package.

Provide the following driver content to Windows Setup during

upgrade

Add drivers to the destination computer during the upgrade process. The drivers must
be compatible with Windows 10 or later. This setting corresponds to the Windows Setup
command-line option /InstallDriver . For more information, see Windows Setup
command-line options.

Specify one of the following options:

Driver package: Select Browse and choose an existing driver package from the list.

Staged content: Select this option to specify the location for the driver content.
You can specify a local folder, network path, or a task sequence variable. When you
use a variable for the source path, set its value earlier in the task sequence. For
example, by using the Download Package Content step.

 Tip
 If you want to have dynamic content for multiple types of hardware:

Use multiple instances of this step with conditions for the hardware types and
separate driver content.

Use multiple instances of the Download Package Content step. Place the
content in a common location, and then use the Staged content option. The
benefit of this method is the task sequence has a single Upgrade OS step.

７ Note

This option is not compatible with feature updates.

Time-out (minutes)
Specify the number of minutes before Configuration Manager fails this step. This option
is useful if Windows Setup stops processing but doesn't terminate.

Perform Windows Setup compatibility scan without starting

upgrade
Perform the Windows Setup compatibility scan without starting the upgrade process.
This setting corresponds to the Windows Setup command-line option /Compat ScanOnly .
Deploy the entire OS upgrade package with this option.

When you enable this option, this step doesn't put the Configuration Manager client
into provisioning mode. Windows Setup runs silently in the background, and the client
continues to function as normal. For more information, see Provisioning mode.

Setup returns an exit code as a result of the scan. The following table provides some of
the more common exit codes:

Exit code Details

MOSETUP_E_COMPAT_SCANONLY (0xC1900210) No compatibility issues ("success").

MOSETUP_E_COMPAT_INSTALLREQ_BLOCK Actionable compatibility issues.

(0xC1900208)

MOSETUP_E_COMPAT_MIGCHOICE_BLOCK Selected migration choice isn't available. For

(0xC1900204) example, an upgrade from Enterprise to
Professional.
 Exit code Details

MOSETUP_E_COMPAT_SYSREQ_BLOCK Not eligible for Windows 10.

(0xC1900200)

MOSETUP_E_COMPAT_INSTALLDISKSPACE_BLOCK Not enough free disk space.

(0xC190020E)

For more information about this parameter, see Windows Setup Command-Line
Options.

Ignore any dismissible compatibility messages

Specifies that Setup completes the installation, ignoring any dismissible compatibility
messages. This setting corresponds to the Windows Setup command-line option
/Compat IgnoreWarning .

Dynamically update Windows Setup with Windows Update

Enable setup to perform Dynamic Update operations, such as search, download, and
install updates. This setting corresponds to the Windows Setup command-line option
/DynamicUpdate . This setting isn't compatible with Configuration Manager software

updates. Enable this option when you manage updates with stand-alone Windows
Server Update Services (WSUS) or Windows Update for Business.

Override policy and use default Microsoft Update

Temporarily override the local policy in real time to run Dynamic Update operations. The
computer gets updates from Windows Update.
Install Software Updates
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Install Software Updates step is commonly used in Configuration Manager task
sequences. When installing or updating the OS, it triggers the software updates
components to scan for and deploy updates. This step can cause challenges for some
customers, such as long timeout delays or missed updates. Use the information in this
article to help mitigate common issues with this step, and for better troubleshooting
when things go wrong.

For more information on the step, see Install Software Updates

Recommendations
To help this process be successful, use the following recommendations:

Use offline servicing

Single index
Reduce image size

Use offline servicing

Use Configuration Manager to regularly install applicable software updates to your
image files. This practice then reduces the number of updates that you need to install
during the task sequence.

For more information, see Apply software updates to an image.

Single index
Many image files include multiple indexes, such as for different editions of Windows.
Reduce the image file to a single index that you require. This practice reduces the
amount of time to apply software updates to the image. It also enables the next
recommendation to reduce the image size.

Automate this process when you add an OS image to the site. For more information, see
Add an OS image.

Reduce image size

When you apply software updates to the image, optimize the output by removing any
superseded updates. Use the DISM command-line tool, for example:

Command

dism /Mount-Image /ImageFile:C:\Data\install.wim /MountDir:C:\Mountdir

dism /Image:C:\Mountdir /Cleanup-Image /StartComponentCleanup /ResetBase

dism /Unmount-Image /MountDir:C:\Mountdir /Commit

There's an option to automate this process. For more information, see Optimized image
servicing.

Image engineering decisions

When you design your imaging process, there are several options that can affect the
installation of software updates:

Periodically recapture the image

Use offline servicing
Use default image only

Periodically recapture the image

You have an automated process to capture a custom OS image on a regular schedule.
This capture task sequence installs the latest software updates. These updates can
include cumulative, non-cumulative, and other critical updates such as servicing stack
updates (SSU). The deployment task sequence installs any other updates since capture.

For more information on this process, see Create a task sequence to capture an OS.

Advantages: recapture image

Fewer updates to apply at deployment time per client, which saves time and
bandwidth during deployment
Fewer updates to worry about causing restarts
Customized image for the organization
Fewer variables at deployment time

Disadvantages: recapture image

Time to create and capture image, even though it's mostly automated
 Increased time to distribute the image to distribution points, which can be seen as
outage for active deployments
Time to test through pre-production environments may be longer than OS patch
cycle, which can make the updated image irrelevant

Use offline servicing

Schedule Configuration Manager to apply software updates to your images.

For more information, see Apply software updates to an image.

Advantages: offline servicing

Fewer updates to apply at deployment time per client, which saves time and
bandwidth during deployment
Fewer updates to worry about causing restarts
You can schedule the servicing process at the site

Disadvantages: offline servicing

Manual selection of updates

Increased time to distribute the image to distribution points
Only supports CBS-based updates. It can't apply Microsoft 365 Apps updates

 Tip

You can automate the selection of software updates using PowerShell. Use the Get-
CMSoftwareUpdate cmdlet to get a list of updates. Then use the New-
CMOperatingSystemImageUpdateSchedule cmdlet to create the offline servicing
schedule. The following example shows one method to automate this action:

PowerShell

# Get the OS image

$Win10Image = Get-CMOperatingSystemImage -Name "Windows 10 Enterprise"

# Get the latest cumulative update for Windows 10 1809

$OSBuild = "1809"

$LatestUpdate = Get-CMSoftwareUpdate -Fast | Where

{$_.LocalizedDisplayName -Like "*Cumulative Update for Windows 10
Version $OSBuild for x64*" -and $_.LocalizedDisplayName -notlike
"*Dynamic*"} | Sort-Object ArticleID -Descending | Select -First 1

Write-Host "Latest update for Windows 10 build" $OSBuild "is"

$LatestUpdate.LocalizedDisplayName

 # Create a new update schedule to apply the latest update

New-CMOperatingSystemImageUpdateSchedule -Name $Win10Image.Name -

SoftwareUpdate $LatestUpdate -RunNow -ContinueOnError $True

Use default image only

Use the default Windows install.wim image file in your deployment task sequences.

Advantages: default image

A known good source, which reduces the risk of image corruption as a possible
issue
Eliminates modifications to image as a possible issue

Disadvantages: default image

Potential for high volume of updates during the deployment
Increased deployment time for every device
May not have needed customizations, requires other task sequence steps to
customize

Flowchart
This flowchart diagram shows the process when you include the Install Software
Updates step in a task sequence.

View the diagram at full size

1. Process starts on the client: A task sequence running on a client includes the
Install Software updates step.
2. Compile and evaluate policies: The client compiles all software update policies
into WMI RequestedConfigs namespace. (CIAgent.log)
3. Is this instance the first time it's called?
a. Yes: Go to Full scan
b. No: Is the step configured with the option to Evaluate software updates from
cached scan results?
i. Yes: Go to Scan from cached results
ii. No: Go to Full scan
4. Scan process: either a full scan or scan from cached results, with monitoring
process in parallel.
 a. Full scan: The task sequence engine calls the software update agent via Update
Scan API to do a full scan. (WUAHandler.log, ScanAgent.log)
i. SUM agent scan - full: Normal scan process via Windows Update Agent
(WUA), which communicates with software update point running WSUS. It
adds any applicable updates to the local update store. (WindowsUpdate.log,
UpdateStore.log)
b. Scan from cached results: The task sequence engine calls the software update
agent via Update Scan API to scan against cached metadata. (WUAHandler.log,
ScanAgent.log)
i. SUM agent scan - cached: The Windows Update Agent (WUA) checks against
updates already cached in the local update store. (WindowsUpdate.log,
UpdateStore.log)
c. Start scan timer: The task sequence engine starts a timer and waits. (This
process happens in parallel with either the full scan or scan from cached results
process.)
i. Monitoring: The task sequence engine monitors the SUM agent for status.
ii. What's the response from the SUM agent?

In progress: Has the timer reached the value in task sequence variable
SMSTSSoftwareUpdateScanTimeout? (Default 1 hour)
Yes: The step fails.
No: Go to Monitoring
Failed: The step fails.
Complete: Go to Enumerate update list

5. Enumerate update list: The SUM agent enumerates the list of updates returned by
the scan, determining which are available or mandatory.
6. Are there any updates in the list of scan results?

Yes: Go to Install updates

No: Nothing to install, the step successfully completes.

7. Deployment process: The install updates process happens in parallel with the
deployment monitoring process.
a. Install updates: The task sequence engine calls the SUM agent via Update
Deployment API to install all available or only mandatory updates. This behavior
is based on the configuration of the step, whether you select Required for
installation - Mandatory software updates only or Available for installation -
All software updates. You can also specify this behavior using the
SMSInstallUpdateTarget variable.
i. SUM agent install: Normal install process using existing cached list of
updates, with standard content download. Install update via Windows
 Update Agent (WUA). (UpdatesDeployment.log, UpdatesHandler.log,
WuaHandler.log, WindowsUpdate.log)
b. Start deployment timer and show progress: The task sequence engine starts an
installation timer, shows subprogress at 10% intervals in TS Progress UI, and
waits.
i. Monitoring: The task sequence engine polls the SUM agent for status.
ii. What's the response from the SUM agent?

In progress: Has the installation process been inactive for 8 hours?

Yes: The step fails.
No: Go to Monitoring
Failed: The step fails.
Complete: Go to Is the step configured with the option to Evaluate
software updates from cached scan results?

Timeouts
The diagram includes two of the timeout variables that apply to this step. There are
other standard timers from other components that can affect this process.

Update scan timeout: One hour (smsts.log)

Location request timeout: One hour (LocationServices.log, CAS.log)
Content download timeout: One hour (DTS.log)
Inactive distribution point timeout: One hour (LocationServices.log, CAS.log)
Total install inactive timeout: Eight hours (smsts.log)

Troubleshooting
Use the following resources and additional information to help you troubleshoot issues
with this step:

Make sure to target your software update deployments to the same collection as
the task sequence deployment.

Make sure to include software update points in boundary groups. For more
information, see Configuration Manager clients don't get software updates.

To help you troubleshoot the software update management process, see

Troubleshoot software update management in Configuration Manager.

To help improve overall performance, reduce the size of the software update
catalog. For example:
Remove unnecessary classifications, products, and languages. For more
information, see Configure classifications and products to synchronize.

Reindex the site database and rebuild statistics. For more information, see the
FAQ for site sizing and performance.

Decline unnecessary updates, for example:

Superseded.

７ Note

Configuration Manager does this action for you. For more information,
see WSUS cleanup behavior.

Itanium

Beta

Version Next

ARM

Versions of Windows you aren't deploying

In-place upgrade recommendations
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The default task sequence template for Windows in-place upgrade includes groups with
recommended actions to add before and after the upgrade process. These actions are
common among many customers who are successfully upgrading Windows on devices.
This article provides information about these recommended steps during different
phases of the upgrade process.

Prepare for upgrade

If you have an existing task sequence that doesn't already have these actions, manually
add them to your task sequence in the Prepare for Upgrade group.

Battery checks
Add steps in this group to check whether the computer is using battery, or wired power.
This action requires a custom script or utility to run this check.

Battery check example

Use WbemTest and connect to the root\cimv2 namespace. Then run the following
query:

Select BatteryStatus From Win32_Battery where BatteryStatus != 2

If it returns any results, then the device is running on battery. Otherwise, the device is
connected to wired power.

Network/wired connection checks

Add steps in this group to check whether the computer is connected to a network, and
isn't using a wireless connection. This action requires a custom script or utility to run this
check.

Network check example

Use WbemTest and connect to the root\cimv2 namespace. Then run the following
query:

Select * From Win32_NetworkAdapter Where NetConnectionStatus = 2 and

PhysicalAdapter = 'True' and NetConnectionID = 'Wi-Fi'

If it returns any results, then the device is running on Wi-Fi. Otherwise, the device is
connected to wired network connection.

Remove incompatible applications

Add steps in this group to remove any applications that are incompatible with the target
version of Windows. The method to uninstall an application varies.

If the application uses Windows Installer, copy the Uninstall program command line
from the Programs tab on the Windows Installer deployment type properties of the
application. Then add a Run Command Line step in this group with the uninstall
program command line. For example:

msiexec /x {150031D8-1234-4BA8-9F52-D6E5190D1CBA} /q

Remove incompatible drivers

Add steps in this group to remove any drivers that are incompatible with the target
version of Windows.

Remove/suspend third-party security

Add steps in this group to remove or suspend third-party security programs, such as
antivirus.

If you're using a third-party disk encryption program, provide its encryption driver to
Windows Setup with the /ReflectDrivers command-line option. Add a Set Task
Sequence Variable step to the task sequence in this group. Set the task sequence
variable to OSDSetupAdditionalUpgradeOptions. Set the value to /ReflectDrivers with
the path to the driver. This task sequence variable appends the Windows Setup
command-line used by the task sequence. Contact your software vendor for any further
guidance on this process.

Download Package Content task sequence step

Use the Download Package Content step before the Upgrade Operating System step in
the following scenarios:

You use a single upgrade task sequence for both x86 and x64 platforms. Include
two Download Package Content steps in the Prepare for Upgrade group. Set
conditions on each step to detect the client architecture. This condition causes the
step to download only the appropriate OS upgrade package. Configure each
Download Package Content step to use the same variable, and use the variable for
the media path on the Upgrade Operating System step.

To dynamically download an applicable driver package, use two Download

Package Content steps with conditions to detect the appropriate hardware type
for each driver package. Configure each Download Package Content step to use
the same variable. Then use that variable for the Staged content value in the
drivers section on the Upgrade Operating System step.

７ Note

Configuration Manager adds a numerical suffix to this variable name. For

example, if you specify %mycontent% as a custom variable, the client stores all
referenced content in this location. When you refer to the variable in a
subsequent step, such as Upgrade Operating System, use the variable with a
numerical suffix. In this example, %mycontent01% or %mycontent02% , where the
number corresponds to the order in which the Download Package Content
step lists this specific content.

Post-processing
After you create the task sequence, add more steps in the Post-Processing group of the
task sequence.

７ Note

This task sequence isn't linear. There are conditions on steps that can affect the
results of the task sequence. This behavior depends on whether it successfully
upgrades the client computer, or if it has to roll back the client computer to the
original OS.

The default task sequence template for Windows in-place upgrade includes other
groups with recommended actions to add after the upgrade process. These actions in
the Post-Processing group are common among many customers who are successfully
upgrading Windows on devices. If you have an existing task sequence that doesn't
already have these actions, manually add them to your task sequence in the Post-
Processing group.

Apply setup-based drivers

Add steps in this group to install setup-based drivers (.exe) from packages.

Install/enable third-party security

Add steps in this group to install or enable third-party security programs, such as
antivirus.

Set Windows default apps and associations

Add steps in this group to set Windows default apps and file associations.

1. Prepare a reference computer with app associations you want.

2. Run the following command line to export:

dism /online /Export-

DefaultAppAssociations:"%UserProfile%\Desktop\DefaultAppAssociations.xml"

3. Add the XML file to a package.

4. Add a Run Command Line step in this group. Specify the package that contains the
XML file, and then specify the following command line:

dism /online /Import-DefaultAppAssociations:DefaultAppAssociations.xml

For more information, see Export or import default application associations.

Apply customizations and personalization

Add steps in this group to apply Start menu customizations, such as organizing program
groups. For more information, see Customize the Start layout.

Rollback
When something goes wrong with the upgrade process after the computer restarts,
Windows Setup rolls back the system to the previous OS. The task sequence then
continues with any steps in the Rollback group. After you create the task sequence, add
optional steps in this group as necessary. For example, reverse any changes made to the
system in the Prepare for Upgrade group, such as uninstalling incompatible software.

Run actions on failure

The default task sequence template for Windows in-place upgrade includes a group to
Run actions on failure. This group includes recommended actions to add in case the
upgrade process fails. These actions make it easier to troubleshoot.

Collect logs
To gather logs from the client, add steps in this group.

A common practice is to copy the log files to a network share. To establish this
connection, use the Connect to Network Folder step.

To do the copy operation, use a custom script or utility with either the Run
Command Line or Run PowerShell Script step.

Files to collect might include the following logs:

%_SMSTSLogPath%\*.log
%SystemDrive%\$Windows.~BT\Sources\Panther\setupact.log

For more information on setupact.log and other Windows Setup logs, see
Windows Setup Log files.

For more information on Configuration Manager client logs, see Configuration

Manager client logs.

For more information on _SMSTSLogPath and other useful variables, see Task
sequence variables.

Run diagnostic tools

To run diagnostic tools, add steps in this group. Automate these tools for collecting
additional information from the system right after the failure.

One such tool is Windows SetupDiag. It's a standalone diagnostic tool to get details
about why a Windows upgrade was unsuccessful.

In Configuration Manager, create a package for the tool.

 Add a Run Command Line step to this group of your task sequence. Use the
Package option to reference the tool. The following string is an example
Command line:
SetupDiag.exe /Output:"%_SMSTSLogPath%\SetupDiagResults.log"

 Tip

Always use the most recent version of SetupDiag for the latest functionality and
fixes to known issues. For more information, see SetupDiag.

Other recommendations

Windows documentation
Review Windows documentation to Resolve Windows client upgrade errors. This article
also includes detailed information about the upgrade process.

Check minimum disk space

On the default Check Readiness step, enable Ensure minimum free disk space (MB). Set
the value to at least 16384 (16 GB) for a 32-bit OS upgrade package, or 20480 (20 GB)
for 64-bit.

Retry downloading policy

Use the SMSTSDownloadRetryCount task sequence variable to retry downloading
policy. Currently by default, the client retries twice; this variable is set to two (2). If your
clients aren't on a wired intranet network connection, more retries help the client obtain
policy. Using this variable causes no negative side effect, other than delayed failure if it
can't download policy. Also increase the SMSTSDownloadRetryDelay variable from the
default 15 seconds.

Do an inline compatibility assessment

1. Add a second Upgrade Operating System step early in the Prepare for Upgrade
group.

a. Name it Upgrade assessment.

b. Specify the same upgrade package, and then enable the option to Perform
Windows Setup compatibility scan without starting upgrade.
 c. Enable Continue on error on the Options tab.

2. Immediately following this Upgrade assessment step, add a Run Command Line
step. Specify the following command line:

cmd /c exit %_SMSTSOSUpgradeActionReturnCode%

This command causes the command prompt to exit with the specified non-zero
exit code, which the task sequence considers a failure.

3. On the Options tab, add the following condition:

Task Sequence Variable _SMSTSOSUpgradeActionReturnCode not equals 3247440400

This condition means that the task sequence only runs this Run Command Line
step if the return code isn't a success code.

The return code 3247440400 is the decimal equivalent of

MOSETUP_E_COMPAT_SCANONLY (0xC1900210), which is a successful compatibility
scan with no issues. If the Upgrade Assessment step succeeds and returns 3247440400 ,
the task sequence skips this Run Command Line step, and continues. If the assessment
step returns any other return code, this Run Command Line step runs. Because the
command exits with a non-zero return code, the task sequence also fails. The task
sequence log and status messages include the return code from the Windows Setup
compatibility scan. For more information on _SMSTSOSUpgradeActionReturnCode, see
Task sequence variables.

For more information, see the Upgrade operating system task sequence step.

Convert from BIOS to UEFI

If you want to change the device from BIOS to UEFI during this task sequence, see
Convert from BIOS to UEFI during an in-place upgrade.

Manage BitLocker
If you're using BitLocker Disk Encryption, then by default Windows Setup automatically
suspends it during upgrade. Windows Setup includes the /BitLocker command-line
parameter to control this behavior. If your security requirements need devices to always
have active disk encryption, then use the OSDSetupAdditionalUpgradeOptions task
sequence variable in the Prepare for Upgrade group to include /BitLocker
TryKeepActive . For more information, see Windows Setup Command-line Options.
Remove default apps
Some customers remove default provisioned apps in Windows. For example, the Bing
Weather app, or the Microsoft Solitaire Collection. In some situations, these apps return
after upgrading Windows. For more information, see How to keep apps removed from
Windows client from returning during an update.

Add a Run Command Line step to the task sequence in the Prepare for Upgrade group.
Specify a command line similar to the following example:

cmd /c reg add

"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisione

d\Microsoft.BingWeather_8wekyb3d8bbwe" /f

Next steps
For more information, see the following articles:

Upgrade Windows to the latest version

Create a task sequence to upgrade an OS
About task sequence steps: Upgrade OS
Preprovision BitLocker in Windows PE
with Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The Pre-provision BitLocker task sequence step in Configuration Manager allows you to
enable BitLocker from the Windows Preinstallation Environment (Windows PE) prior to
operating system deployment. Only the used drive space is encrypted, and therefore,
encryption times are much faster. This is done with a randomly generated clear
protector applied to the formatted volume and encrypting the volume prior to running
the Windows setup process. The ability to pre-provision BitLocker was introduced with
Windows 8 and Windows Server 2012. However, you can pre-provision BitLocker on a
hard drive and install Windows 7 as long as you follow specific steps. After Windows 7
Setup completes, you must set a BitLocker key protector because the Windows 7
BitLocker control panel does not support BitLocker with a clear protector. You must add
a key protector by using the Enable BitLocker step or by using the manage-bde.exe
command-line tool.

Generally, you must do the following to successfully pre-provision BitLocker on a

computer that will install Windows 7:

Restart the computer in Windows PE

） Important

You must use a boot image with Windows PE 4 or later to pre-provision

BitLocker. For more information about supported Windows PE versions in
Configuration Manager, see Dependencies External to Configuration
Manager.

Partition and format the hard drive

Pre-provision BitLocker

Install Windows 7 with specific operating system and network settings

Add a key protector to BitLocker

In Configuration Manager, the recommended way to pre-provision BitLocker on a

hard drive and install Windows 7 is to create a new task sequence and select Install
 an existing image package from the Create New Task Sequence page of the
Create Task Sequence Wizard. The wizard creates the task sequence steps listed in
following table.

７ Note

The task sequence might have additional steps depending on how you configured
the settings in the wizard. For example, you might have the Capture Windows
Settings step if you selected Captured Microsoft Windows settings on the State
Migration page of the wizard.

Task Details
sequence
step

Disable This step disables BitLocker encryption, if it is currently enabled. For more
BitLocker information, see Disable BitLocker.

Restart This step restarts the computer in Windows PE by running the boot image assigned
Computer to the task sequence. You must use a boot image with Windows PE 4 or later to pre-
in provision BitLocker. For more information, see Restart Computer.
Windows
PE

Partition These steps format and partition the specified drive on the destination computer by
Disk 0 - using BIOS or UEFI. The task sequence uses UEFI when it detects that the destination
BIOS
computer is in UEFI mode. For more information, see Format and Partition Disk.

Partition
Disk 0 -
UEFI

Pre- This step enables BitLocker on a drive while in Windows PE. Only the used drive
provision space is encrypted. Because you partitioned and formatted the hard drive in the
BitLocker previous step, there is no data, and encryption completes very quickly. For more
information, see Pre-provision BitLocker.

Apply This step prepares the answer file that is used to install the operating system on the
Operating destination computer and sets the OSDTargetSystemDrive task sequence variable to
System the drive letter of the partition that contains the operating system files. The answer
file and variable are used by the Setup Windows and ConfigMgr step to install the
operating system. For more information, see Apply Operating System Image.

Apply This step adds Windows settings to the answer file. The answer file is used by the
Windows Setup Windows and ConfigMgr step to install the operating system. For more
Settings information, see Apply Windows Settings.
Task Details
sequence
step

Apply This step adds Network settings to the answer file. The answer file is used by the
Network Setup Windows and ConfigMgr step to install the operating system. For more
Settings information, see Apply Network Settings Step.

Apply This step matches and installs drivers as part of the operating system deployment.
Device For more information, see Auto Apply Drivers.
Drivers

Setup This step performs the transition from Windows PE to the new operating system.
Windows This task sequence step is a required part of any operating system deployment. It
and installs the Configuration Manager client into the new operating system and
ConfigMgr prepares for the task sequence to continue execution in the new operating system.
For more information, see Setup Windows and ConfigMgr.

Enable This step enables BitLocker encryption on the hard drive and sets key protectors.
BitLocker Because the hard drive was pre-provisioned with BitLocker, this step completes very
quickly. Windows 7 requires that you add a key protector. If you do not use this step,
you can run the manage-bde.exe command-line tool to set a key protector. For
more information, see Enable BitLocker.
How to use task sequence variables in
Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

The task sequence engine in the OS deployment feature of Configuration Manager uses
many variables to control its behaviors. Use these variables to:

Set conditions on steps

Change behaviors for specific steps
Use in scripts for more complex actions

For a reference of all available task sequence variables, see Task sequence variables.

Types of variables
There are several types of variables:

Built-in
Action
Custom
Read-only
Array

Built-in variables
Built-in variables provide information about the environment where the task sequence
runs. Their values are available throughout the whole task sequence. Typically, the task
sequence engine initializes built-in variables before it runs any steps.

For example, _SMSTSLogPath is an environment variable that specifies the path to which
Configuration Manager components write log files. Any task sequence step can access
this environment variable.

The task sequence evaluates some variables before each step. For example,
_SMSTSCurrentActionName lists the name of the current step.

Action variables
Task sequence action variables specify configuration settings that a single task sequence
step uses. By default, the step initializes its settings before it runs. These settings are
available only while the associated task sequence step runs. The task sequence adds the
action variable value to the environment before it runs the step. It then removes the
value from the environment after the step runs.

For example, you add the Run Command Line step to a task sequence. This step
includes a Start In property. The task sequence stores a default value for this property as
the WorkingDirectory variable. The task sequence initializes this value before it runs the
Run Command Line step. While this step is running, access the Start In property value
from the WorkingDirectory value. After the step completes, the task sequence removes
the value of the WorkingDirectory variable from the environment. If the task sequence
includes another Run Command Line step, it initializes a new WorkingDirectory variable.
At that time, the task sequence sets the variable to the starting value for the current
step. For more information, see WorkingDirectory.

The default value for an action variable is present when the step runs. If you set a new
value, it's available to multiple steps in the task sequence. If you override a default value,
the new value stays in the environment. This new value overrides the default value for
other steps in the task sequence. For example, you add a Set Task Sequence Variable
step as the first step of the task sequence. This step sets the WorkingDirectory variable
to C:\ . Any Run Command Line step in the task sequence uses the new starting
directory value.

Some task sequence steps mark certain action variables as output. Steps later in the task
sequence read these output variables.

７ Note

Not all task sequence steps have action variables. For example, although there are
variables associated with the Enable BitLocker action, there are no variables
associated with the Disable BitLocker action.

Custom variables
These variables are any that Configuration Manager doesn't create. Initialize your own
variables to use as conditions, in command lines, or in scripts.

When you specify a name for a new task sequence variable, follow these guidelines:
 The task sequence variable name can include letters, numbers, the underscore
character ( _ ), and a hyphen ( - ).

Task sequence variable names have a minimum length of one character and a
maximum length of 256 characters.

User-defined variables must begin with a letter ( A-Z or a-z ).

User-defined variable names can't begin with the underscore character. Only read-
only task sequence variables are preceded by the underscore character.

Task sequence variable names aren't case-sensitive. For example, OSDVAR and
osdvar are the same task sequence variable.

Task sequence variable names can't begin or end with a space. They also can't have
embedded spaces. The task sequence ignores any spaces at the beginning or the
end of a variable name.

There's no set limit to how many task sequence variables you can create. However, the
number of variables is limited by the size of the task sequence environment. The total
size limit for the task sequence environment is 8 KB. For more information, see Reduce
the size of task sequence policy.

Read-only variables
You can't change the value of some variables, which are read-only. Usually the name
begins with an underscore character ( _ ). The task sequence uses them for its
operations. Read-only variables are visible in the task sequence environment.

These variables are useful in scripts or command-lines. For example, running a

command line and piping the output to a log file in _SMSTSLogPath with the other log
files.

７ Note

Read-only task sequence variables can be read by steps in a task sequence but they
can't be set. For example, use a read-only variable as part of the command line for
a Run Command Line step. You can't set a read-only variable by using the Set Task
Sequence Variable step.

Array variables
The task sequence stores some variables as an array. Each element in the array
represents the settings for a single object. Use these variables when a device has more
than one object to configure. The following task sequence steps use array variables:

Apply Network Settings

Format and Partition Disk

How to set variables

For custom variables or variables that aren't read-only, there are several methods to
initialize and set the value of the variable:

Set Task Sequence Variable step

Set Dynamic Variables step
Run PowerShell Script step
Collection and device variables
TSEnvironment COM object
Prestart command
Task Sequence Wizard
Task Sequence Media Wizard

Delete a variable from the environment by using the same methods as creating a
variable. To delete a variable, set the variable value to an empty string.

You can combine methods to set a task sequence variable to different values for the
same sequence. For example, set the default values using the task sequence editor, and
then set custom values using a script.

If you set the same variable by different methods, the task sequence engine uses the
following order:

1. It evaluates collection variables first.

2. Device-specific variables override the same variable set on a collection.

3. Variables set by any method during the task sequence take precedence over
collection or device variables.

General limitations for task sequence variable values

Task sequence variable values can't be more than 4,000 characters.
 You can't change a read-only task sequence variable. Read-only variables have
names that start with an underscore character ( _ ).

Task sequence variable values can be case-sensitive depending on the usage of the
value. In most cases, task sequence variable values aren't case-sensitive. A variable
that includes a password is case-sensitive.

Set Task Sequence Variable

Use this step in the task sequence to set a single variable to a single value.

For more information, see Set Task Sequence Variable.

Set Dynamic Variables

Use this step in the task sequence to set one or more task sequence variables. You
define rules in this step to determine which variables and values to use.

For more information, see Set Dynamic Variables.

Run PowerShell Script

Use this step in the task sequence to use a PowerShell script to set a task sequence
variable.

You can specify a script name from a package, or directly enter a PowerShell script in the
step. Then use the step property to Output to task sequence variable to save the script
output to a custom task sequence variable.

For more information on this step, see Run PowerShell Script.

７ Note

You can also use a PowerShell script to set one or more variables with the
TSEnvironment object. For more information, see How to use variables in a
running task sequence in the Configuration Manager SDK.

Example scenario with Run PowerShell Script step

Your environment has users in multiple countries/regions, so you want to query the OS
language to set as a condition on multiple language-specific Apply OS steps.
1. Add an instance of the Run PowerShell Script to the task sequence before the
Apply OS steps.

2. Use the option to Enter a PowerShell script to specify the following command:

PowerShell

(Get-Culture).TwoLetterISOLanguageName

For more information on the cmdlet, see Get-Culture. For more information on the
two-letter ISO language names, see List of ISO 639-1 codes .

3. For the option to Output to task sequence variable, specify CurrentOSLanguage .

4. On the Apply OS step for the English language image, create the following
condition: Task Sequence Variable CurrentOSLanguage equals "en"
  Tip

For more information on how to create a condition on a step, see How to

access variables - Step condition.

5. Save and deploy the task sequence.

When the Run PowerShell Script step runs on a device with the English language
version of Windows, the command returns the value en . It then saves that value into the
custom variable. When the Apply OS step for the English language image runs on the
same device, the condition evaluates to true. If you have multiple instances of the Apply
OS step for different languages, the task sequence dynamically runs the step that
matches the OS language.

Collection and device variables

You can define custom task sequence variables for devices and collections. Variables that
you define for a device are referred to as per-device task sequence variables. Variables
defined for a collection are referred to as per-collection task sequence variables. If
there's a conflict, per-device variables take precedence over per-collection variables.
This behavior means that task sequence variables that are assigned to a specific device
automatically have a higher priority than variables that are assigned to the collection
that contains the device.
For example, device XYZ is a member of collection ABC. You assign MyVariable to
collection ABC with a value of 1. You also assign MyVariable to device XYZ with a value
of 2. The variable that's assigned to XYZ has higher priority than the variable that's
assigned to collection ABC. When a task sequence with this variable runs on XYZ,
MyVariable has a value of 2.

You can hide per-device and per-collection variables so that they aren't visible in the
Configuration Manager console. When you use the option Do not display this value in
the Configuration Manager console, the value of the variable isn't displayed in the
console. The task sequence log file (smsts.log) or the task sequence debugger won't
show the variable value either. The variable can still be used by the task sequence when
it runs. If you no longer want these variables to be hidden, delete them first. Then
redefine the variables without selecting the option to hide them.

２ Warning

If you include variables in the Run Command Line step's command line, the task
sequence log file displays the full command line including the variable values. To
prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .

You can manage per-device variables at a primary site or at a central administration site.
Configuration Manager doesn't support more than 1,000 assigned variables for a device.

） Important

When you use per-collection variables for task sequences, consider the following
behaviors:

Changes to collections are always replicated throughout the hierarchy. Any

changes that you make to collection variables apply not just to members of
the current site, but to all members of the collection throughout the hierarchy.

When you delete a collection, this action also deletes the task sequence
variables that you configured for the collection.

Create task sequence variables for a device

1. In the Configuration Manager console, go to the Assets and Compliance

workspace, and select the Devices node.
 2. Select the target device and select Properties.

3. In the Properties dialog box, switch to the Variables tab.

4. For each variable that you want to create, select the New icon. Specify the Name
and Value of the task sequence variable. If you want to hide the variable so that it's
not visible in the Configuration Manager console, select the option Do not display
this value in the Configuration Manager console.

5. After you've added all the variables to the device properties, select OK.

Create task sequence variables for a collection

1. In the Configuration Manager console, go to the Assets and Compliance

workspace, and select the Device Collections node. Select the target collection and
choose Properties.

2. In the Properties dialog box, switch to the Collection Variables tab.

3. For each variable that you want to create, select the New icon. Specify the Name
and Value of the task sequence variable. If you want to hide the variable so that it's
not visible in the Configuration Manager console, select the option Do not display
this value in the Configuration Manager console.

4. Optionally, specify the priority for Configuration Manager to use when the task
sequence variables are evaluated.

5. After you've added all the variables to the collection properties, select OK.

TSEnvironment COM object

To work with variables from a script, use the TSEnvironment object.

For more information, see How to use variables in a running task sequence in the
Configuration Manager SDK.

Prestart command
The prestart command is a script or executable that runs in Windows PE before the user
selects the task sequence. The prestart command can query a variable or prompt the
user for information, and then save it in the environment. Use the TSEnvironment COM
object to read and write variables from the prestart command.

For more information, see Prestart commands for task sequence media.
Task Sequence Wizard
After you select a task sequence in the Task Sequence Wizard window, the page to edit
task sequence variables includes an Edit button. You can use accessible keyboard
shortcuts to edit the variables. This change helps in cases where a mouse isn't available.

Task Sequence Media Wizard

Specify variables for task sequences that run from media. When using media to deploy
the OS, you add the task sequence variables and specify their values when you create
the media. The variables and their values are stored on the media.

７ Note

Task sequences are stored on stand-alone media. However, all other types of
media, such as prestaged media, retrieve the task sequence from a management
point.

When you run a task sequence from media, you can add a variable on the
Customization page of the wizard.

Use the media variables in place of per-collection or per-computer variables. If the task
sequence is running from media, per-computer and per-collection variables don't apply
and aren't used.

 Tip

The task sequence writes the package ID and prestart command line to the
CreateTSMedia.log file on the computer that runs the Configuration Manager
console. This log file includes the value for any task sequence variables. Review this
log file to verify the value for the task sequence variables.

For more information, see Create task sequence media.

How to access variables

After you specify the variable and its value by using one of the methods from the
previous section, use it in your task sequences. For example, access default values for
built-in task sequence variables, or make a step conditional on the value of a variable.
Use the following methods to access variable values in the task sequence environment:

Use in a step
Step condition
Custom script
Windows setup answer file

Use in a step
Specify a variable value for a setting in a task sequence step. In the task sequence editor,
edit the step, and specify the variable name as the field value. Enclose the variable name
in percent signs ( % ).

For example, use the variable name as part of the Command Line field of the Run
Command Line step. The following command line writes the computer name to a text
file.

cmd.exe /c echo %_SMSTSMachineName% > C:\File.txt

Step condition
Use built-in or custom task sequence variables as part of a condition on a step or group.
The task sequence evaluates the variable value before it runs the step or group.

To add a condition that evaluates a variable value, do the following steps:

1. In the task sequence editor, select the step or group to which you want to add the
condition.

2. Switch to the Options tab for the step or group. Click Add Condition, and select
Task Sequence Variable.

3. In the Task Sequence Variable dialog box, specify the following settings:

Variable: The name of the variable. For example, _SMSTSInWinPE .

Condition: The condition to evaluate the variable value. The following

conditions are available:
Exists
Not exists
Equals
Not equals
Greater than
 Greater than or equals
Less than
Less than or equals
Like (supports wildcards of * and ? )
Not like (version 2103 or later)

Value: The value of the variable to check. For example, false .

The three examples above form a common condition to test whether the task sequence
is running from a boot image in Windows PE:

Task Sequence Variable _SMSTSInWinPE equals "false"

See this condition on the Capture Files and Settings group of the default task sequence
template to install an existing OS image.

For more information about conditions, see Task sequence editor - Conditions.

Custom script
Read and write variables by using the Microsoft.SMS.TSEnvironment COM object while
the task sequence is running.

The following Windows PowerShell example queries the _SMSTSLogPath variable to get
the current log location. The script also sets a custom variable.

PowerShell

# Create an object to access the task sequence environment

$tsenv = New-Object -ComObject Microsoft.SMS.TSEnvironment

# Query the environment to get an existing variable

# Set a variable for the task sequence log path

$LogPath = $tsenv.Value("_SMSTSLogPath")

# Or, convert all of the variables currently in the environment to

PowerShell variables

$tsenv.GetVariables() | % { Set-Variable -Name "$_" -Value

"$($tsenv.Value($_))" }

# Write a message to a log file

Write-Output "Hello world!" | Out-File -FilePath "$LogPath\mylog.log" -

Encoding "Default" -Append

# Set a custom variable "startTime" to the current time

$tsenv.Value("startTime") = (Get-Date -Format HH:mm:ss) + ".000+000"

Windows setup answer file

The Windows setup answer file that you supply can have embedded task sequence
variables. Use the form %varname% , where varname is the name of the variable. The
Setup Windows and ConfigMgr step replaces the variable name string for the actual
variable value. These embedded task sequence variables can't be used in numeric-only
fields in an unattend.xml answer file.

For more information, see Setup Windows and ConfigMgr.

See also
Task sequence steps

Task sequence variables

Planning considerations for automating tasks

Task sequence editor

Task sequence variables
Article • 02/22/2023

Applies to: Configuration Manager (current branch)

This article is a reference for all of the available variables in alphabetical order. Use the
browser Find function (typically CTRL + F) to find a specific variable. The variable notes
if it's specific to particular step. The article on task sequence steps includes the list of
variables specific to each step.

For more information, see Using task sequence variables.

Task sequence variable reference

_OSDDetectedWinDir
The task sequence scans the computer's hard drives for a previous operating system
installation when Windows PE starts. The Windows folder location is stored in this
variable. You can configure your task sequence to retrieve this value from the
environment and use it to specify the same Windows folder location to use for the new
operating system installation.

_OSDDetectedWinDrive
The task sequence scans the computer's hard drives for a previous operating system
installation when Windows PE starts. The hard drive location for where the operating
system is installed is stored in this variable. You can configure your task sequence to
retrieve this value from the environment and use it to specify the same hard drive
location to use for the new operating system.

_OSDMigrateUsmtPackageID
Applies to the Capture User State step.

(input)

Specifies the package ID of the Configuration Manager package that contains the USMT
files. This variable is required.

_OSDMigrateUsmtRestorePackageID
Applies to the Restore User State step.

(input)

Specifies the package ID of the Configuration Manager package that contains the USMT
files. This variable is required.

_SMSTSAdvertID
Stores the current running task sequence deployment unique ID. It uses the same
format as a Configuration Manager software distribution deployment ID. If the task
sequence is running from stand-alone media, this variable is undefined.

Example
ABC20001

_SMSTSAppInstallNeedsRetry
Starting this Configuration Manager 2211 HFRU Kb 16643863 and above

Applies to the Install Application step.

This value is set to true if the previous application failed to install and is required to be
retried.

This value is set to false otherwise.

_SMSTSAssetTag
Applies to the Set Dynamic Variables step.

Specifies the asset tag for the computer.

_SMSTSBootImageID
If the current running task sequence references a boot image package, this variable
stores the boot image package ID. If the task sequence doesn't reference a boot image
package, this variable isn't set.

Example
ABC00001

_SMSTSBootUEFI
The task sequence sets this variable when it detects a computer that's in UEFI mode.

_SMSTSClientCache
The task sequence sets this variable when it caches content on the local drive. The
variable contains the path to the cache. If this variable doesn't exist, then there's no
cache.

_SMSTSClientGUID
Stores the value of Configuration Manager client GUID. If the task sequence is running
from standalone media, this variable isn't set.

Example
0a1a9a4b-fc56-44f6-b7cd-c3f8ee37c04c

_SMSTSCurrentActionName
Specifies the name of the currently running task sequence step. This variable is set
before the task sequence manager runs each individual step.

Example
run command line

_SMSTSDefaultGateways
Applies to the Set Dynamic Variables step.

Specifies the default gateways used by the computer.

_SMSTSDownloadOnDemand
If the current task sequence is running in download-on-demand mode, this variable is
true . Download-on-demand mode means the task sequence manager downloads
content locally only when it must access the content.

_SMSTSInWinPE
When the current task sequence step is running in Windows PE, this variable is true .
Test this task sequence variable to determine the current OS environment.

_SMSTSIPAddresses
Applies to the Set Dynamic Variables step.

Specifies the IP addresses used by the computer.

_SMSTSLastActionName
Stores the name of the last action that was run. This variable relates to
_SMSTSLastActionRetCode. The task sequence logs these values to the smsts.log file.
This variable is beneficial when troubleshooting a task sequence. When a step fails, a
custom script can include the step name along with the return code.

_SMSTSLastActionRetCode
Stores the return code from the last action that was run. This variable can be used as a
condition to determine if the next step is run.

Example
0

_SMSTSLastActionSucceeded
If the last step succeeded, this variable is true .

If the last step failed, it's false .

If the task sequence skipped the last action, because the step is disabled or the
associated condition evaluated to false, this variable isn't reset. It still holds the
value for the previous action.

_SMSTSLastContentDownloadLocation
This variable contains the last location where the task sequence downloaded or
attempted to download content. Inspect this variable instead of parsing the client logs
for this content location.

_SMSTSLaunchMode
Specifies that the task sequence started via one of the following methods:

SMS: The Configuration Manager client, such as when a user starts it from
Software Center
UFD: Legacy USB media
UFD+FORMAT: Newer USB media
CD: A bootable CD
DVD: A bootable DVD
PXE: Network boot with PXE
HD: Prestaged media on a hard disk

_SMSTSLogPath
Stores the full path of the log directory. Use this value to determine where the task
sequence steps log their actions. This value isn't set when a hard drive isn't available.

_SMSTSMacAddresses
Applies to the Set Dynamic Variables step.

Specifies the MAC addresses used by the computer.

_SMSTSMachineName
Stores and specifies the computer name. Stores the name of the computer that the task
sequence uses to log all status messages. To change the computer name in the new OS,
use the OSDComputerName variable.

_SMSTSMake
Applies to the Set Dynamic Variables step.

Specifies the make of the computer.

_SMSTSMDataPath
Specifies the path defined by the SMSTSLocalDataDrive variable. This path specifies
where the task sequence stores temporary cache files on the destination computer while
it's running. When you define SMSTSLocalDataDrive before the task sequence starts,
such as by setting a collection variable, Configuration Manager then defines the
_SMSTSMDataPath variable once the task sequence starts.

_SMSTSMediaType
Specifies the type of media used to initiate the installation, which includes:

BootMedia : Boot Media

FullMedia : Full Media

PXE : PXE
OEMMedia : Prestaged Media

_SMSTSModel
Applies to the Set Dynamic Variables step.

Specifies the model of the computer.

_SMSTSMP
Stores the URL or IP address of a Configuration Manager management point.

_SMSTSMPPort
Stores the port number of a Configuration Manager management point.

_SMSTSOrgName
Stores the branding title name that the task sequence displays in the progress dialog.

_SMSTSOSUpgradeActionReturnCode
Applies to the Upgrade operating system step.

Stores the exit code value that Windows Setup returns to indicate success or failure. This
variable is useful with the /Compat command-line option.
Example
On the completion of a compat-only scan, take action in later steps depending on the
failure or success exit code. On success, initiate the upgrade. Or set a marker in the
environment to collect with hardware inventory. For example, add a file or set a registry
key. Use this marker to create a collection of computers that are ready to upgrade, or
that require action before upgrade.

_SMSTSPackageID
Stores the current running task sequence ID. This ID uses the same format as a
Configuration Manager package ID.

Example

HJT00001

_SMSTSPackageName
Stores the current running task sequence name. A Configuration Manager administrator
specifies this name when creating the task sequence.

Example
Deploy Windows 10 task sequence

_SMSTSRunFromDP
Set to true if the current task sequence is running in run-from-distribution-point mode.
This mode means the task sequence manager obtains required package shares from
distribution point.

_SMSTSSerialNumber
Applies to the Set Dynamic Variables step.

Specifies the serial number of the computer.

_SMSTSSetupRollback
Specifies whether Windows Setup performed a rollback operation during an in-place
upgrade. The variable values can be true or false .

_SMSTSSiteCode
Stores the site code of the Configuration Manager site.

Example
ABC

_SMSTSTimezone
This variable stores the time zone information in the following format:

Bias,StandardBias,DaylightBias,StandardDate.wYear,wMonth,wDayOfWeek,wDay,wHour,wMin

ute,wSecond,wMilliseconds,DaylightDate.wYear,wMonth,wDayOfWeek,wDay,wHour,wMinute,w
Second,wMilliseconds,StandardName,DaylightName

Example
For the time zone Eastern Time (US and Canada):

300,0,-60,0,11,0,1,2,0,0,0,0,3,0,2,2,0,0,0,Eastern Standard Time,Eastern Daylight

Time

_SMSTSType
Specifies the type of the current running task sequence. It can have one of the following
values:

1: A generic task sequence

2: An OS deployment task sequence

_SMSTSUseCRL
When the task sequence uses HTTPS to communicate with the management point, this
variable specifies whether it uses the certificate revocation list (CRL).

_SMSTSUserStarted
Specifies whether a user started the task sequence. This variable is set only if the task
sequence is started from Software Center. For example, if _SMSTSLaunchMode is set to
SMS .

This variable can have the following values:

true : Specifies that the task sequence is manually started by a user from Software

Center.

false : Specifies that the task sequence is initiated automatically by the

Configuration Manager scheduler.

_SMSTSUseSSL
Specifies whether the task sequence uses SSL to communicate with the Configuration
Manager management point. If you configure your site systems for HTTPS, the value is
set to true .

_SMSTSUUID
Applies to the Set Dynamic Variables step.

Specifies the UUID of the computer.

_SMSTSWTG
Specifies if the computer is running as a Windows To Go device.

_TS_CRMEMORY
Applies to the Check Readiness step.

A read-only variable for whether the Minimum memory (MB) check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRSPEED
Applies to the Check Readiness step.

A read-only variable for whether the Minimum processor speed (MHz) check returned
true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CRDISK
Applies to the Check Readiness step.

A read-only variable for whether the Minimum free disk space (MB) check returned true
( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.

_TS_CROSTYPE
Applies to the Check Readiness step.

A read-only variable for whether the Current OS to be refreshed is check returned true
( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.

_TS_CRARCH
Applies to the Check Readiness step.

A read-only variable for whether the Architecture of current OS check returned true ( 1 )
or false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRMINOSVER
Applies to the Check Readiness step.

A read-only variable for whether the Minimum OS version check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRMAXOSVER
Applies to the Check Readiness step.

A read-only variable for whether the Maximum OS version check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRCLIENTMINVER
Applies to the Check Readiness step.
A read-only variable for whether the Minimum client version check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CROSLANGUAGE
Applies to the Check Readiness step.

A read-only variable for whether the Language of current OS check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRACPOWER
Applies to the Check Readiness step.

A read-only variable for whether the AC power plugged in check returned true ( 1 ) or
false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRNETWORK
Applies to the Check Readiness step.

A read-only variable for whether the Network adapter connected check returned true
( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.

_TS_CRUEFI
Applies to the Check Readiness step.

A read-only variable for whether the Computer is in UEFI mode check returned BIOS ( 0 )
or UEFI ( 1 ). If you don't enable the check, the value of this read-only variable is blank.

_TS_CRWIRED
Applies to the Check Readiness step.

A read-only variable for whether the Network adapter is not wireless check returned
true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.

_TS_CRTPMACTIVATED
Starting in version 2111

Applies to the Check Readiness step.

A read-only variable for whether the TPM 2.0 or above is activated check returned
inactive ( 0 ) or active ( 1 ). If you don't enable the check, the value of this read-only
variable is blank.

_TS_CRTPMENABLED
Starting in version 2111

Applies to the Check Readiness step.

A read-only variable for whether the TPM 2.0 or above is enabled check returned
disabled ( 0 ) or enabled ( 1 ). If you don't enable the check, the value of this read-only
variable is blank.

_TSAppInstallStatus
The task sequence sets this variable with the installation status for the application during
the Install Application step. It sets one of the following values:

Undefined: The Install Application step hasn't run.

Error: At least one application failed because of an error during the Install
Application step.

Warning: No errors occurred during the Install Application step. One or more
applications, or a required dependency, didn't install because a requirement wasn't
met.

Success: There are no errors or warnings detected during the Install Application
step.

_TSSecureBoot
Use this variable to determine the state of secure boot on a UEFI-enabled device. The
variable can have one of the following values:

NA : The associated registry value doesn't exist, which means the device doesn't
support secure boot.
Enabled : The device has secure boot enabled.
 Disabled : The device has secure boot disabled.

OSDAdapter
Applies to the Apply Network Settings step.

(input)

This task sequence variable is an array variable. Each element in the array represents the
settings for a single network adapter on the computer. Access the settings for each
adapter by combining the array variable name with the zero-based network adapter
index and the property name.

If the Apply Network Settings step configures multiple network adapters, it defines the
properties for the second network adapter by using the index 1 in the variable name. For
example: OSDAdapter1EnableDHCP, OSDAdapter1IPAddressList, and
OSDAdapter1DNSDomain.

Use the following variable names to define the properties of the first network adapter
for the step to configure:

OSDAdapter0EnableDHCP
This setting is required. Possible values are True or False . For example:

true : enable Dynamic Host Configuration Protocol (DHCP) for the adapter

OSDAdapter0IPAddressList

Comma-delimited list of IP addresses for the adapter. This property is ignored unless
EnableDHCP is set to false . This setting is required.

OSDAdapter0SubnetMask
Comma-delimited list of subnet masks. This property is ignored unless EnableDHCP is
set to false . This setting is required.

OSDAdapter0Gateways
Comma-delimited list of IP gateway addresses. This property is ignored unless
EnableDHCP is set to false . This setting is required.
OSDAdapter0DNSDomain
Domain Name System (DNS) domain for the adapter.

OSDAdapter0DNSServerList

Comma-delimited list of DNS servers for the adapter. This setting is required.

OSDAdapter0EnableDNSRegistration

Set to true to register the IP address for the adapter in DNS.

OSDAdapter0EnableFullDNSRegistration

Set to true to register the IP address for the adapter in DNS under the full DNS name
for the computer.

OSDAdapter0EnableIPProtocolFiltering
Set to true to enable IP protocol filtering on the adapter.

OSDAdapter0IPProtocolFilterList
Comma-delimited list of protocols allowed to run over IP. This property is ignored if
EnableIPProtocolFiltering is set to false .

OSDAdapter0EnableTCPFiltering

Set to true to enable TCP port filtering for the adapter.

OSDAdapter0TCPFilterPortList
Comma-delimited list of ports to be granted access permissions for TCP. This property is
ignored if EnableTCPFiltering is set to false .

OSDAdapter0TcpipNetbiosOptions

Options for NetBIOS over TCP/IP. Possible values are as follows:

0 : Use NetBIOS settings from DHCP server

 1 : Enable NetBIOS over TCP/IP

2 : Disable NetBIOS over TCP/IP

OSDAdapter0MacAddress

MAC address used to match settings to the physical network adapter.

OSDAdapter0Name

The name of the network connection as it appears in the network connections control
panel program. The name is between 0 and 255 characters long.

OSDAdapter0Index
Index of the network adapter settings in the array of settings.

Example
OSDAdapterCount = 1
OSDAdapter0EnableDHCP = FALSE
OSDAdapter0IPAddressList = 192.168.0.40
OSDAdapter0SubnetMask = 255.255.255.0
OSDAdapter0Gateways = 192.168.0.1
OSDAdapter0DNSSuffix = contoso.com

OSDAdapterCount
Applies to the Apply Network Settings step.

(input)

Specifies the number of network adapters installed on the destination computer. When
you set the OSDAdapterCount value, also set all the configuration options for each
adapter.

For example, if you set the OSDAdapter0TCPIPNetbiosOptions value for the first
adapter, then you must configure all the values for that adapter.

If you don't specify this value, the task sequence ignores all OSDAdapter values.

OSDAppInstallRetries
Starting this Configuration Manager 2211 HFRU Kb 16643863 and above

Applies to the Install Application step.

(input)

Specifies the number of times the task sequence step tries to install an application in the
case of failure. The value must be specified to trigger a retry in the case of application
installation failure. Application installation retry is attempted ONLY when 'Install Next
Application on Failure' option is not selected on the task.

Defaults to 0 and task sequence does not retry application installation by default.

OSDAppInstallRetryTimeout
Starting this Configuration Manager 2211 HFRU Kb 16643863 and above

Applies to the Install Application step.

(input)

Specifies the time in milliseconds, that the task sequence should wait before retrying an
application installation on failure. The value defaults to 30 seconds (30000 milliseconds).
For example, specify a value of 45000 for a retry delay of 45 seconds.

OSDApplyDriverBootCriticalContentUniqueID
Applies to the Apply Driver Package step.

(input)

Specifies the content ID of the mass storage device driver to install from the driver
package. If this variable isn't specified, no mass storage driver is installed.

OSDApplyDriverBootCriticalHardwareComponent
Applies to the Apply Driver Package step.

(input)

Specifies whether a mass storage device driver is installed, this variable must be scsi.

If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.

OSDApplyDriverBootCriticalID
Applies to the Apply Driver Package step.

(input)

Specifies the boot critical ID of the mass storage device driver to install. This ID is listed
in the scsi section of the device driver's txtsetup.oem file.

If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.

OSDApplyDriverBootCriticalINFFile
Applies to the Apply Driver Package step.

(input)

Specifies the INF file of the mass storage driver to install.

If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.

OSDAutoApplyDriverBestMatch
Applies to the Auto Apply Drivers step.

(input)

If there are multiple device drivers in the driver catalog that are compatible with a
hardware device, this variable determines the step's action.

Valid values

true (default): Only install the best device driver

false : Installs all compatible device drivers, and Windows chooses the best driver

to use

OSDAutoApplyDriverCategoryList
Applies to the Auto Apply Drivers step.

(input)
A comma-delimited list of the driver catalog category unique IDs. The Auto Apply
Driver step only considers the drivers in at least one of the specified categories. This
value is optional, and it's not set by default. Obtain the available category IDs by
enumerating the list of SMS_CategoryInstance objects on the site.

OSDBitLockerPIN
Applies to the Enable BitLocker step.

Specify the PIN for BitLocker encryption. This variable is only valid if the BitLocker mode
is TPM and PIN.

OSDBitLockerRebootCount
Applies to the Disable BitLocker step.

Use this variable to set the number of restarts after which to resume protection.

Valid values

An integer from 1 to 15 .

OSDBitLockerRebootCountOverride
Applies to the Disable BitLocker step.

Set this value to override the count set by the step or the OSDBitLockerRebootCount
variable. While the other methods only accept values 1 to 15, if you set this variable to 0,
BitLocker remains disabled indefinitely. This variable is useful when the task sequence
sets one value, but you want to set a separate value on a per-device or per-collection
basis.

Valid values
An integer from 0 to 15 .

OSDBitLockerRecoveryPassword
Applies to the Enable BitLocker step.

(input)
Instead of generating a random recovery password, the Enable BitLocker step uses the
specified value as the recovery password. The value must be a valid numerical BitLocker
recovery password.

OSDBitLockerStartupKey
Applies to the Enable BitLocker step.

(input)

Instead of generating a random startup key for the key management option Startup Key
on USB only, the Enable BitLocker step uses the Trusted Platform Module (TPM) as the
startup key. The value must be a valid, 256-bit Base64-encoded BitLocker startup key.

OSDCaptureAccount
Applies to the Capture OS Image step.

(input)

Specifies a Windows account name that has permissions to store the captured image on
a network share (OSDCaptureDestination). Also specify the
OSDCaptureAccountPassword.

For more information on the capture OS image account, see Accounts.

OSDCaptureAccountPassword
Applies to the Capture OS Image step.

(input)

Specifies the password for the Windows account (OSDCaptureAccount) used to store
the captured image on a network share (OSDCaptureDestination).

OSDCaptureDestination
Applies to the Capture OS Image step.

(input)

Specifies the location where the task sequence saves the captured OS image. The
maximum directory name length is 255 characters. If the network share requires
authentication, specify the OSDCaptureAccount and OSDCaptureAccountPassword
variables.

OSDComputerName (input)
Applies to the Apply Windows Settings step.

Specifies the name of the destination computer.

Example

%_SMSTSMachineName% (default)

OSDComputerName (output)
Applies to the Capture Windows Settings step.

Set to the NetBIOS name of the computer. The value is set only if the
OSDMigrateComputerName variable is set to true .

OSDConfigFileName
Applies to the Apply OS Image step.

(input)

Specifies the file name of the OS deployment answer file associated with the OS
deployment image package.

OSDDataImageIndex
Applies to the Apply Data Image step.

(input)

Specifies the index value of the image that's applied to the destination computer.

OSDDiskIndex
Applies to the Format and Partition Disk step.

(input)
Specifies the physical disk number to be partitioned.

In version 2010 and earlier, this number can't be larger than 99. In version 2103 and
later, the maximum number is 10,000. This change helps support storage area network
(SAN) scenarios.

OSDDNSDomain
Applies to the Apply Network Settings step.

(input)

Specifies the primary DNS server that the destination computer uses.

OSDDNSSuffixSearchOrder
Applies to the Apply Network Settings step.

(input)

Specifies the DNS search order for the destination computer.

OSDDomainName
Applies to the Apply Network Settings step.

(input)

Specifies the name of the Active Directory domain that the destination computer joins.
The specified value must be a valid Active Directory Domain Services domain name.

OSDDomainOUName
Applies to the Apply Network Settings step.

(input)

Specifies the RFC 1779 format name of the organizational unit (OU) that the destination
computer joins. If specified, the value must contain the full path.

Example

LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com
OSDDoNotLogCommand
Applies to the Install Package and Run Command Line steps.

(input)

To prevent potentially sensitive data from being displayed or logged, set this variable to
TRUE . This variable masks the program name in the smsts.log during an Install Package
step.

When you set this variable to TRUE , it also hides the command line from the Run
Command Line step in the log file.

OSDEnableTCPIPFiltering
Applies to the Apply Network Settings step.

(input)

Specifies whether TCP/IP filtering is enabled.

Valid values
true

false (default)

OSDGPTBootDisk
Applies to the Format and Partition Disk step.

(input)

Specifies whether to create an EFI partition on a GPT hard disk. EFI-based computers use
this partition as the startup disk.

Valid values
true

false (default)

OSDImageCreator
Applies to the Capture OS Image step.

(input)

An optional name of the user who created the image. This name is stored in the WIM
file. The maximum length of the user name is 255 characters.

OSDImageDescription
Applies to the Capture OS Image step.

(input)

An optional user-defined description of the captured OS image. This description is

stored in the WIM file. The maximum length of the description is 255 characters.

OSDImageIndex
Applies to the Apply OS Image step.

(input)

Specifies the image index value of the WIM file that's applied to the destination
computer.

OSDImageVersion
Applies to the Capture OS Image step.

(input)

An optional user-defined version number to assign to the captured OS image. This

version number is stored in the WIM file. This value can be any combination of
alphanumeric characters with a maximum length of 32.

OSDInstallDriversAdditionalOptions
Applies to the Apply Driver Package step.

(input)

Specifies additional options to add to the DISM command line when applying a driver
package. The task sequence doesn't verify the command-line options.
To use this variable, enable the setting, Install driver package via running DISM with
recurse option, on the Apply Driver Package step.

For more information, see DISM command-line options.

OSDJoinAccount
Applies to the following steps:

Apply Network Settings

Join Domain or Workgroup

(input)

Specifies the domain user account that's used to add the destination computer to the
domain. This variable is required when joining a domain.

For more information on the task sequence domain joining account, see Accounts.

OSDJoinDomainName
Applies to the Join Domain or Workgroup step.

(input)

Specifies the name of an Active Directory domain the destination computer joins. The
length of the domain name must be between 1 and 255 characters.

OSDJoinDomainOUName
Applies to the Join Domain or Workgroup step.

(input)

Specifies the RFC 1779 format name of the organizational unit (OU) that the destination
computer joins. If specified, the value must contain the full path. The length of the OU
name must be between 0 and 32,767 characters. This value isn't set if the OSDJoinType
variable is set to 1 (join workgroup).

Example
LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com
OSDJoinPassword
Applies to the following steps:

Apply Network Settings

Join Domain or Workgroup

(input)

Specifies the password for the OSDJoinAccount that the destination computer uses to
join the Active Directory domain. If the task sequence environment doesn't include this
variable, then Windows Setup tries a blank password. If the variable OSDJoinType
variable is set to 0 (join domain), this value is required.

OSDJoinSkipReboot
Applies to the Join Domain or Workgroup step.

(input)

Specifies whether to skip restarting after the destination computer joins the domain or
workgroup.

Valid values
true

false

OSDJoinType
Applies to the Join Domain or Workgroup step.

(input)

Specifies whether the destination computer joins a Windows domain or a workgroup.

Valid values

0 : Join the destination computer to a Windows domain

1 : Join the destination computer to a workgroup

OSDJoinWorkgroupName
Applies to the Join Domain or Workgroup step.

(input)

Specifies the name of a workgroup that the destination computer joins. The length of
the workgroup name must be between 1 and 32 characters.

OSDKeepActivation
Applies to the Prepare Windows for Capture step.

(input)

Specifies whether sysprep keeps or resets the product activation flag.

Valid values
true : keep the activation flag

false (default): reset the activation flag

OsdLayeredDriver
Starting in version 2107

Applies to the Apply OS Image step

Specify an integer value for the layered driver to install with Windows. For more
information, see the LayeredDriver Windows setting.

Valid values for OsdLayeredDriver

Value Keyboard driver

0 Do not specify (default)

1 PC/AT Enhanced keyboard (101/102-key)

2 Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard (type 1)

3 Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard (type 2)

4 Korean PC/AT 101-Key Compatible keyboard or the Microsoft Natural keyboard (type 3)

5 Korean keyboard (103/106-key)

 Value Keyboard driver

6 Japanese keyboard (106/109-key)

OSDLocalAdminPassword
Applies to the Apply Windows Settings step.

(input)

Specifies the local Administrator account password. If you enable the option to
Randomly generate the local administrator password and disable the account on all
supported platforms, then the step ignores this variable. The specified value must be
between 1 and 255 characters.

OSDLogPowerShellParameters
Applies to the Run PowerShell Script step.

(input)

To prevent potentially sensitive data from being logged, the Run PowerShell Script step
doesn't log script parameters in the smsts.log file. To include the script parameters in
the task sequence log, set this variable to TRUE.

OSDMigrateAdapterSettings
Applies to the Capture Network Settings step.

(input)

Specifies whether the task sequence captures the network adapter information. This
information includes configuration settings for TCP/IP and DNS.

Valid values
true (default)

false

OSDMigrateAdditionalCaptureOptions
Applies to the Capture User State step.
(input)

Specify additional command-line options for the user state migration tool (USMT) that
the task sequence uses to capture user state. The step doesn't expose these settings in
the task sequence editor. Specify these options as a string, which the task sequence
appends to the automatically generated USMT command line for ScanState.

The USMT options specified with this task sequence variable aren't validated for
accuracy prior to running the task sequence.

For more information on available options, see ScanState Syntax.

OSDMigrateAdditionalRestoreOptions
Applies to the Restore User State step.

(input)

Specifies additional command-line options for the user state migration tool (USMT) that
the task sequence uses when restoring the user state. Specify the additional options as a
string, which the task sequence appends to the automatically generated USMT
command line for LoadState.

The USMT options specified with this task sequence variable aren't validated for
accuracy prior to running the task sequence.

For more information on available options, see LoadState Syntax.

OSDMigrateComputerName
Applies to the Capture Windows Settings step.

(input)

Specifies whether the computer name is migrated.

Valid values
true (default). The OSDComputerName (output) variable is set to the NetBIOS

name of the computer.

false

OSDMigrateConfigFiles
Applies to the Capture User State step.

(input)

Specifies the configuration files used to control the capture of user profiles. This variable
is used only if OSDMigrateMode is set to Advanced . This comma-delimited list value is
set to perform customized user profile migration.

Example
miguser.xml,migsys.xml,migapps.xml

OSDMigrateContinueOnLockedFiles
Applies to the Capture User State step.

(input)

If USMT can't capture some files, this variable allows the user state capture to proceed.

Valid values
true (default)

false

OSDMigrateContinueOnRestore
Applies to the Restore User State step.

(input)

Continue the process, even if USMT can't restore some files.

Valid values
true (default)

false

OSDMigrateEnableVerboseLogging
Applies to the following steps:
 Capture User State
Restore User State

(input)

Enables verbose logging for USMT. The step requires this value.

Valid values

true
false (default)

OSDMigrateLocalAccounts
Applies to the Restore User State step.

(input)

Specifies whether the local computer account is restored.

Valid values
true

false (default)

OSDMigrateLocalAccountPassword
Applies to the Restore User State step.

(input)

If the OSDMigrateLocalAccounts variable is true , this variable must contain the

password assigned to all migrated local accounts. USMT assigns the same password to
all migrated local accounts. Consider this password as temporary, and change it later by
some other method.

OSDMigrateMode
Applies to the Capture User State step.

(input)

Allows you to customize the files that USMT captures.

Valid values
Simple : The task sequence only uses the standard USMT configuration files

Advanced : The task sequence variable OSDMigrateConfigFiles specifies the

configuration files that USMT uses

OSDMigrateNetworkMembership
Applies to the Capture Network Settings step.

(input)

Specifies whether the task sequence migrates the workgroup or domain membership
information.

Valid values

true (default)

false

OSDMigrateRegistrationInfo
Applies to the Capture Windows Settings step.

(input)

Specifies whether the step migrates user and organization information.

Valid values
true (default). The OSDRegisteredOrgName (output) variable is set to the

registered organization name of the computer.

false

OSDMigrateSkipEncryptedFiles
Applies to the Capture User State step.

(input)

Specifies whether encrypted files are captured.

Valid values
true

false (default)

OSDMigrateTimeZone
Applies to the Capture Windows Settings step.

(input)

Specifies whether the computer time zone is migrated.

Valid values

true (default). The variable OSDTimeZone (output) is set to the time zone of the
computer.
false

OSDNetworkJoinType
Applies to the Apply Network Settings step.

(input)

Specifies whether the destination computer joins an Active Directory domain or a

workgroup.

Value values
0 : Join an Active Directory domain

1 : Join a workgroup

OSDPartitions
Applies to the Format and Partition Disk step.

(input)

This task sequence variable is an array variable of partition settings. Each element in the
array represents the settings for a single partition on the hard disk. Access the settings
defined for each partition by combining the array variable name with the zero-based
disk partition number and the property name.

Use the following variable names to define the properties for the first partition that this
step creates on the hard disk:

OSDPartitions0Type

Specifies the type of partition. This property is required. Valid values are Primary ,
Extended , Logical , and Hidden .

OSDPartitions0FileSystem
Specifies the type of file system to use when formatting the partition. This property is
optional. If you don't specify a file system, the step doesn't format the partition. Valid
values are FAT32 and NTFS .

OSDPartitions0Bootable

Specifies whether the partition is bootable. This property is required. If this value is set
to TRUE for MBR disks, then the step marks this partition as active.

OSDPartitions0QuickFormat
Specifies the type of format that is used. This property is required. If this value is set to
TRUE , the step performs a quick format. Otherwise, the step performs a full format.

OSDPartitions0VolumeName
Specifies the name that's assigned to the volume when it's formatted. This property is
optional.

OSDPartitions0Size

Specifies the size of the partition. This property is optional. If this property isn't
specified, the partition is created using all remaining free space. Units are specified by
the OSDPartitions0SizeUnits variable.

OSDPartitions0SizeUnits
The step uses these units to interpret the OSDPartitions0Size variable. This property is
optional. Valid values are MB (default), GB , and Percent .

OSDPartitions0VolumeLetterVariable

When this step creates partitions, it always uses the next available drive letter in
Windows PE. Use this optional property to specify the name of another task sequence
variable. The step uses this variable to save the new drive letter for future reference.

If you define multiple partitions with this task sequence step, the properties for the
second partition are defined by using the 1 index in the variable name. For example:
OSDPartitions1Type, OSDPartitions1FileSystem, OSDPartitions1Bootable,
OSDPartitions1QuickFormat, and OSDPartitions1VolumeName.

OSDPartitionStyle
Applies to the Format and Partition Disk step.

(input)

Specifies the partition style to use when partitioning the disk.

Valid values

GPT : Use the GUID Partition Table style

MBR : Use the master boot record partition style

OSDProductKey
Applies to the Apply Windows Settings step.

(input)

Specifies the Windows product key. The specified value must be between 1 and 255
characters.

OSDRandomAdminPassword
Applies to the Apply Windows Settings step.

(input)
Specifies a randomly generated password for the local Administrator account in the new
OS.

Valid values

true (default): Windows Setup disables the local Administrator account on the
target computer

false : Windows Setup enables the local administrator account on the target
computer, and sets the account password to the value of OSDLocalAdminPassword

OSDRecoveryKeyPollingFrequency
Applies to the Enable BitLocker step.

Applies to version 2203 and later.

The frequency, in seconds, that the BitLocker action will poll the site database for
recovery key escrow status. Minimum value is 15 seconds. Default value is 300 seconds
(5 minutes).

OSDRecoveryKeyPollingTimeout
Applies to the Enable BitLocker step.

Applies to version 2203 and later.

The maximum number of seconds for the BitLocker action to wait for the recovery key
to be escrowed to the site database. Minimum value is 30 seconds. Default value is 1800
seconds (30 minutes).

OSDRegisteredOrgName (input)
Applies to the Apply Windows Settings step.

Specifies the default registered organization name in the new OS. The specified value
must be between 1 and 255 characters.

OSDRegisteredOrgName (output)
Applies to the Capture Windows Settings step.
Set to the registered organization name of the computer. The value is set only if the
OSDMigrateRegistrationInfo variable is set to true .

OSDRegisteredUserName
Applies to the Apply Windows Settings step.

(input)

Specifies the default registered user name in the new OS. The specified value must be
between 1 and 255 characters.

OSDServerLicenseConnectionLimit
Applies to the Apply Windows Settings step.

(input)

Specifies the maximum number of connections allowed. The specified number must be
in the range between 5 and 9999 connections.

OSDServerLicenseMode
Applies to the Apply Windows Settings step.

(input)

Specifies the Windows Server license mode that's used.

Valid values

PerSeat
PerServer

OSDSetupAdditionalUpgradeOptions
Applies to the Upgrade Operating System step.

(input)

Specifies the additional command-line options that are added to Windows Setup during
an upgrade. The task sequence doesn't verify the command-line options.
For more information, see Windows Setup Command-Line Options.

OSDStateFallbackToNAA
Applies to the Request State Store step.

(input)

When the computer account fails to connect to the state migration point, this variable
specifies whether the task sequence falls back to use the network access account (NAA).

For more information on the network access account, see Accounts.

Valid values

true
false (default)

OSDStateSMPRetryCount
Applies to the Request State Store step.

(input)

Specifies the number of times that the task sequence step tries to find a state migration
point before the step fails. The specified count must be between 0 and 600.

OSDStateSMPRetryTime
Applies to the Request State Store step.

(input)

Specifies the number of seconds that the task sequence step waits between retry
attempts. The number of seconds can be a maximum of 30 characters.

OSDStateStorePath
Applies to the following steps:

Capture User State

Release State Store
Request State Store
 Restore User State

(input)

The network share or local path name of the folder where the task sequence saves or
restores the user state. There is no default value.

OSDTargetSystemDrive
Applies to the Apply OS Image step.

(output)

Specifies the drive letter of the partition that contains the OS files after the image is
applied.

OSDTargetSystemRoot (input)
Applies to the Capture OS Image step.

Specifies the path to the Windows directory of the installed OS on the reference
computer. The task sequence verifies it as a supported OS for capture by Configuration
Manager.

OSDTargetSystemRoot (output)
Applies to the Prepare Windows for Capture step.

Specifies the path to the Windows directory of the installed OS on the reference
computer. The task sequence verifies it as a supported OS for capture by Configuration
Manager.

OSDTimeZone (input)
Applies to the Apply Windows Settings step.

Specifies the default time zone setting that's used in the new OS.

Set the value of this variable to the language invariant name of time zone. For example,
use the string in the Std value for a time zone under the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones .

OSDTimeZone (output)
Applies to the Capture Windows Settings step.

Set to the time zone of the computer. The value is set only if the OSDMigrateTimeZone
variable is set to true .

OSDWindowsSettingsInputLocale
Applies to the Apply Windows Settings step.

Specifies the default input locale setting that's used in the new OS.

For more information on the Windows setup answer file value, see Microsoft-Windows-
International-Core - InputLocale.

OSDWindowsSettingsSystemLocale
Applies to the Apply Windows Settings step.

Specifies the default system locale setting that's used in the new OS.

For more information on the Windows setup answer file value, see Microsoft-Windows-
International-Core - SystemLocale.

OSDWindowsSettingsUILanguage
Applies to the Apply Windows Settings step.

Specifies the default user interface language setting that's used in the new OS.

For more information on the Windows setup answer file value, see Microsoft-Windows-
International-Core - UILanguage.

OSDWindowsSettingsUILanguageFallback
Applies to the Apply Windows Settings step.

Specifies the fallback user interface language setting that's used in the new OS.

For more information on the Windows setup answer file value, see Microsoft-Windows-
International-Core - UILanguageFallback.

OSDWindowsSettingsUserLocale
Applies to the Apply Windows Settings step.

Specifies the default user locale setting that's used in the new OS.

For more information on the Windows setup answer file value, see Microsoft-Windows-
International-Core - UserLocale.

OSDWipeDestinationPartition
Applies to the Apply Data Image step.

(input)

Specifies whether to delete the files located on the destination partition.

Valid values
true (default)

false

OSDWorkgroupName
Applies to the Apply Network Settings step.

(input)

Specifies the name of the workgroup that the destination computer joins.

Specify either this variable or the OSDDomainName variable. The workgroup name can
be a maximum of 32 characters.

SetupCompletePause
Applies to the Upgrade Operating System step.

Use this variable to address timing issues with the Window 10 in-place upgrade task
sequence on high performance devices when Windows setup is complete. When you
assign a value in seconds to this variable, the Windows setup process delays that
amount of time before it starts the task sequence. This timeout provides the
Configuration Manager client additional time to initialize.

The following log entries are common examples of this issue that you can remediate
with this variable:
 The TSManager component records entries similar to the following errors in the
smsts.log:

log

Failed to initate policy evaluation for namespace

'root\ccm\policy\machine', hr=0x80041010

Error compiling client config policies. code 80041010

Task Sequence Manager could not initialize Task Sequence Environment.

code 80041010

Windows setup records entries similar to the following errors in the

setupcomplete.log:

log

Running C:\windows\CCM\\TSMBootstrap.exe to resume task sequence

ERRORLEVEL = -1073741701

TSMBootstrap did not request reboot, resetting registry

Exiting setupcomplete.cmd

SMSClientInstallProperties
Applies to the Setup Windows and ConfigMgr step.

(input)

Specifies the client installation properties that the task sequence uses when installing
the Configuration Manager client.

For more information, see About client installation parameters and properties.

SMSConnectNetworkFolderAccount
Applies to the Connect To Network Folder step.

(input)

Specifies the user account that is used to connect to the network share in
SMSConnectNetworkFolderPath. Specify the account password with the
SMSConnectNetworkFolderPassword value.

For more information on the task sequence network folder connection account, see
Accounts.
SMSConnectNetworkFolderDriveLetter
Applies to the Connect To Network Folder step.

(input)

Specifies the network drive letter to connect to. This value is optional. If it's not
specified, then the network connection isn't mapped to a drive letter. If this value is
specified, the value must be in the range from D to Z. Don't use X, it's the drive letter
used by Windows PE during the Windows PE phase.

Examples

D:
E:

SMSConnectNetworkFolderPassword
Applies to the Connect To Network Folder step.

(input)

Specifies the password for the SMSConnectNetworkFolderAccount that is used to

connect to the network share in SMSConnectNetworkFolderPath.

SMSConnectNetworkFolderPath
Applies to the Connect To Network Folder step.

(input)

Specifies the network path for the connection. If you need to map this path to a drive
letter, use the SMSConnectNetworkFolderDriveLetter value.

Example
\\server\share

SMSInstallUpdateTarget
Applies to the Install Software Updates step.

(input)
Specifies whether to install all updates or only mandatory updates.

Valid values
All

Mandatory

SMSRebootMessage
Applies to the Restart Computer step.

(input)

Specifies the message to be displayed to users before restarting the destination

computer. If this variable isn't set, the default message text is displayed. The specified
message can't exceed 512 characters.

Example

Save your work before the computer restarts.

SMSRebootTimeout
Applies to the Restart Computer step.

(input)

Specifies the number of seconds that the warning is displayed to the user before the
computer restarts.

Examples

0 (default): Don't display a reboot message

60 : Display the warning for one minute

SMSTSAllowTokenAuthURLForACP
Applies to version 2203 and later

When you use the SMSTSDownloadProgram variable to use an alternate content

provider, set this variable to true to allow it to use token authentication. If you don't set
this variable or set it to false , it skips any token authentication sources. The alternate
content provider has to support token authentication.

For more information, see CMG client authentication.

SMSTSAssignmentsDownloadInterval
The number of seconds to wait before the client attempts to download the policy since
the last attempt that returned no policies. By default, the client waits 0 seconds before
retrying.

You can set this variable by using a prestart command from media or PXE.

SMSTSAssignmentsDownloadRetry
The number of times a client attempts to download the policy after no policies are
found on the first attempt. By default, the client retries 0 times.

You can set this variable by using a prestart command from media or PXE.

SMSTSAssignUsersMode
Specifies how a task sequence associates users with the destination computer. Set the
variable to one of the following values:

Auto: When the task sequence deploys the OS to the destination computer, it
creates a relationship between the specified users and destination computer.

Pending: The task sequence creates a relationship between the specified users and
the destination computer. An administrator must approve the relationship to set it.

Disabled: The task sequence doesn't associate users with the destination computer
when it deploys the OS.

SMSTSDisableStatusRetry
In disconnected scenarios, the task sequence engine repeatedly tries to send status
messages to the management point. This behavior in this scenario causes delays in task
sequence processing.

Set this variable to true and the task sequence engine doesn't attempt to send status
messages after the first message fails to send. This first attempt includes multiple retries.
When the task sequence restarts, the value of this variable persists. However, the task
sequence tries sending an initial status message. This first attempt includes multiple
retries. If successful, the task sequence continues sending status regardless of the value
of this variable. If status fails to send, the task sequence uses the value of this variable.

７ Note

Task sequence status reporting relies upon these status messages to display the
progress, history, and details of each step. If status messages fail to send, they're
not queued. When connectivity is restored to the management point, they're not
sent at a later time. This behavior results in task sequence status reporting to be
incomplete and missing items.

SMSTSDisableWow64Redirection
Applies to the Run Command Line step.

(input)

By default on a 64-bit OS, the task sequence locates and runs the program in the
command line using the WOW64 file system redirector. This behavior allows the
command to find 32-bit versions of OS programs and DLLs. Setting this variable to true
disables the use of the WOW64 file system redirector. The command finds native 64-bit
versions of OS programs and DLLs. This variable has no effect when running on a 32-bit
OS.

SMSTSDownloadAbortCode
This variable contains the abort code value for the external program downloader. This
program is specified in the SMSTSDownloadProgram variable. If the program returns an
error code equal to the value of the SMSTSDownloadAbortCode variable, then the
content download fails and no other download method is attempted.

SMSTSDownloadProgram
Use this variable to specify an alternate content provider (ACP). An ACP is a downloader
program that's used to download content. The task sequence uses the ACP instead of
the default Configuration Manager downloader. As part of the content download
process, the task sequence checks this variable. If specified, the task sequence runs the
program to download the content.
SMSTSDownloadRetryCount
The number of times that Configuration Manager attempts to download content from a
distribution point. By default, the client retries 2 times.

SMSTSDownloadRetryDelay
The number of seconds that Configuration Manager waits before it retries to download
content from a distribution point. By default, the client waits 15 seconds before retrying.

SMSTSDriverRequestConnectTimeOut
Applies to the Auto Apply Drivers step.

When requesting the driver catalog, this variable is the number of seconds the task
sequence waits for the HTTP server connection. If the connection takes longer than the
timeout setting, the task sequence cancels the request. By default, the timeout is set to
60 seconds.

SMSTSDriverRequestReceiveTimeOut
Applies to the Auto Apply Drivers step.

When requesting the driver catalog, this variable is the number of seconds the task
sequence waits for a response. If the connection takes longer than the timeout setting,
the task sequence cancels the request. By default, the timeout is set to 480 seconds.

SMSTSDriverRequestResolveTimeOut
Applies to the Auto Apply Drivers step.

When requesting the driver catalog, this variable is the number of seconds the task
sequence waits for HTTP name resolution. If the connection takes longer than the
timeout setting, the task sequence cancels the request. By default, the timeout is set to
60 seconds.

SMSTSDriverRequestSendTimeOut
Applies to the Auto Apply Drivers step.

When sending a request for the driver catalog, this variable is the number of seconds
the task sequence waits to send the request. If the request takes longer than the
timeout setting, the task sequence cancels the request. By default, the timeout is set to
60 seconds.

SMSTSErrorDialogTimeout
When an error occurs in a task sequence, it displays a dialog box with the error. The task
sequence automatically dismisses it after the number of seconds specified by this
variable. By default, this value is 900 seconds (15 minutes).

SMSTSLanguageFolder
Use this variable to change the display language of a language neutral boot image.

SMSTSLocalDataDrive
Specifies where the task sequence stores temporary cache files on the destination
computer while it's running.

Set this variable before the task sequence starts, such as by setting a collection variable.
Once the task sequence starts, Configuration Manager defines the _SMSTSMDataPath
variable based on what the SMSTSLocalDataDrive variable was defined to.

SMSTSMP
Use this variable to specify the URL or IP address of the Configuration Manager
management point.

SMSTSMPListRequestTimeoutEnabled
Applies to the following steps:

Install Application
Install Software Updates

(input)

If the client isn't on the intranet, use this variable to enable repeated MPList requests to
refresh the client. By default, this variable is set to True .

When clients are on the internet, set this variable to False to avoid unnecessary delays.
SMSTSMPListRequestTimeout
Applies to the following steps:

Install Application
Install Software Updates

(input)

If the task sequence fails to retrieve the management point list (MPList) from location
services, this variable specifies how many milliseconds it waits before it retries the step.
By default, the task sequence waits 60000 milliseconds (60 seconds) before it retries. It
retries up to three times.

SMSTSPeerDownload
Use this variable to enable the client to use Windows PE peer cache. Setting this variable
to true enables this functionality.

SMSTSPeerRequestPort
A custom network port that Windows PE peer cache uses for the initial broadcast. The
default port configured in client settings is 8004.

SMSTSPersistContent
Use this variable to temporarily persist content in the task sequence cache. This variable
is different from SMSTSPreserveContent, which keeps content in the Configuration
Manager client cache after the task sequence is complete. SMSTSPersistContent uses the
task sequence cache, SMSTSPreserveContent uses the Configuration Manager client
cache.

SMSTSPostAction
Specifies a command that's run after the task sequence completes. Just before exiting
the task sequence, the TSManager process spawns the specified post action. It doesn't
wait or record any status, just exits after calling that command.

For example, specify shutdown.exe /r /t 30 /f to restart the computer 30 seconds after

the task sequence completes.
SMSTSPreferredAdvertID
Forces the task sequence to run a specific targeted deployment on the destination
computer. Set this variable through a prestart command from media or PXE. If this
variable is set, the task sequence overrides any required deployments.

SMSTSPreserveContent
This variable flags the content in the task sequence to be kept in the Configuration
Manager client cache after the deployment. This variable is different from
SMSTSPersistContent, which only keeps the content for the duration of the task
sequence. SMSTSPersistContent uses the task sequence cache, SMSTSPreserveContent
uses the Configuration Manager client cache. Set SMSTSPreserveContent to true to
enable this functionality.

SMSTSRebootDelay
Specifies how many seconds to wait before the computer restarts. If this variable is zero
(0), the task sequence manager doesn't display a notification dialog before reboot.

Example

0 : don't display a notification

60 : display a notification for one minute

SMSTSRebootDelayNext
Use this variable with the existing SMSTSRebootDelay variable. If you want any later
reboots to happen with a different timeout than the first, set SMSTSRebootDelayNext to
a different value in seconds.

Example

You want to give users a 60-minute reboot notification at the start of a Windows in-
place upgrade task sequence. After that first long timeout, you want additional timeouts
to only be 60 seconds. Set SMSTSRebootDelay to 3600 , and SMSTSRebootDelayNext to
60 .

SMSTSRebootMessage
Specifies the message to display in the restart notification dialog. If this variable isn't set,
a default message appears.

Example

The task sequence is restarting this computer

SMSTSRebootRequested
Indicates that a restart is requested after the current task sequence step is completed. If
the task sequence step requires a restart to complete the action, set this variable. After
the computer restarts, the task sequence continues to run from the next task sequence
step.

HD : Restart to the installed OS

WinPE : Restart to the associated boot image

SMSTSRetryRequested
Requests a retry after the current task sequence step is completed. If this task sequence
variable is set, also configure the SMSTSRebootRequested variable. After the computer
is restarted, the task sequence manager reruns the same task sequence step.

SMSTSRunCommandLineAsUser
Applies to the Run Command Line step.

Use task sequence variables to configure the user context for the Run Command Line
step. You don't need to configure the Run Command Line step with a placeholder
account to use the SMSTSRunCommandLineUserName and
SMSTSRunCommandLineUserPassword variables.

Configure SMSTSRunCommandLineAsUser with one of the following values:

true : Any further Run Command Line steps run in the context of the user
specified in SMSTSRunCommandLineUserName .

false : Any further Run Command Line steps run in the context that you

configured on the step.

SMSTSRunCommandLineUserName
Applies to the Run Command Line step.

(input)

Specifies the account by which the command line is run. The value is a string of the form
username for a local account or domain\username for a domain one. Specify the
account password with the SMSTSRunCommandLineUserPassword variable.

７ Note

Use the SMSTSRunCommandLineAsUser variable with this variable to configure

the user context for this step.

For more information on the task sequence run-as account, see Accounts.

SMSTSRunCommandLineUserPassword
Applies to the Run Command Line step.

(input)

Specifies the password for the account specified by the

SMSTSRunCommandLineUserName variable.

SMSTSRunPowerShellAsUser
Applies to the Run PowerShell Script step.

Use task sequence variables to configure the user context for the Run PowerShell Script
step. You don't need to configure the Run PowerShell Script step with a placeholder
account to use the SMSTSRunPowerShellUserName and
SMSTSRunPowerShellUserPassword variables.

Configure SMSTSRunPowerShellAsUser with one of the following values:

true : Any further Run PowerShell Script steps run in the context of the user

specified in SMSTSRunPowerShellUserName .

false : Any further Run PowerShell Script steps run in the context that you

configured on the step.

SMSTSRunPowerShellUserName
Applies to the Run PowerShell Script step.

(input)

Specifies the account by which the PowerShell script is run. The value is a string of the
form username or domain\username. Specify the account password with the
SMSTSRunPowerShellUserPassword variable.

７ Note

To use these variables, configure the Run PowerShell Script step with the setting to
Run this step as the following account. When you enable this option, if you're
setting the user name and password with variables, specify any value for the
account.

For more information on the task sequence run-as account, see Accounts.

SMSTSRunPowerShellUserPassword
Applies to the Run PowerShell Script step.

(input)

Specifies the password for the account specified by the SMSTSRunPowerShellUserName

variable.

SMSTSSoftwareUpdateScanTimeout
Applies to the Install Software Updates step.

(input)

Control the timeout for the software updates scan during this step. For example, if you
expect numerous updates during the scan, increase the value. The default value is 3600
seconds (60 minutes). The variable value is set in seconds.

SMSTSUDAUsers
Specifies the primary users of the destination computer by using the following format:
<DomainName>\<UserName> . Separate multiple users by using a comma ( , ). For more

information, see Associate users with a destination computer.

Example
contoso\jqpublic, contoso\megb, contoso\janedoh

SMSTSWaitCcmexecOperationalTimeout
(input)

Use this variable to control the timeout period for the task sequence to wait for the SMS
Agent Host service (ccmexec) to completely start. Specify this value in seconds. The
default timeout period is 30 minutes, or 1800 seconds.

Examples of SMSTSWaitCcmexecOperationalTimeout

1800 (default): 30 minutes

300 : The task sequence waits five minutes for ccmexec to start

SMSTSWaitForSecondReboot
Applies to the Install Software Updates step.

(input)

This optional task sequence variable controls client behavior when a software update
installation requires two restarts. Set this variable before this step to prevent a task
sequence from failing because of a second restart from software update installation.

Set the SMSTSWaitForSecondReboot value in seconds to specify how long the task
sequence pauses on this step while the computer restarts. Allow sufficient time in case
there's a second restart.

For example, if you set SMSTSWaitForSecondReboot to 600 , the task sequence pauses
for 10 minutes after a restart before additional steps run. This variable is useful when a
single Install Software Updates task sequence step installs hundreds of software
updates.

７ Note

This variable only applies to a task sequence that deploys an OS. It doesn't work in
a custom task sequence.
TSDebugMode
Set this variable to TRUE on a collection or computer object to which the task sequence
is deployed. Any device that has this variable set will put any task sequence deployed to
it into debug mode.

For more information, see Debug a task sequence.

TSDebugOnError
Set this variable to TRUE to automatically start the task sequence debugger when the
task sequence returns an error.

Set this variable using:

The Set Task Sequence Variable step

A collection variable. For more information, see How to set variables.

TSDisableProgressUI
Use this variable to control when the task sequence displays progress to end users. To
hide or display progress at different times, set this variable multiple times in a task
sequence.

true : Hide task sequence progress

false : Display task sequence progress

TSErrorOnWarning
Applies to the Install Application step.

(input)

Specify whether the task sequence engine considers a detected warning as an error
during this step. The task sequence sets the _TSAppInstallStatus variable to Warning
when one or more applications, or a required dependency, didn't install because it
didn't meet a requirement. When you set this variable to True , and the task sequence
sets _TSAppInstallStatus to Warning , the outcome is an error. A value of False is the
default behavior.
TSProgressInfoLevel
Specify this variable to control the type of information that the task sequence progress
window displays. Use the following values for this variable:

1 : Include the current step and total steps to the progress text. For example, 2 of

10.
2 : Include the current step, total steps, and percentage completed. For example, 2

of 10 (20% complete).
3 : Include the percentage completed. For example, (20% complete).

TSUEFIDrive
Use on the properties of a FAT32 partition in the Variable field. When the task sequence
detects this variable, it prepares the disk for transition to UEFI before it restarts the
computer. For more information, see Task sequence steps to manage BIOS to UEFI
conversion.

WorkingDirectory
Applies to the Run Command Line step.

(input)

Specifies the starting directory for a command-line action. The specified directory name
can't exceed 255 characters.

Examples
C:\

%SystemRoot%

Deprecated variables
The following variables are deprecated:

OSDAllowUnsignedDriver: Isn't used when deploying Windows Vista and later

operating systems
OSDBuildStorageDriverList: Only applies to Windows XP and Windows Server
2003
 OSDDiskpartBiosCompatibilityMode: Only needed when deploying Windows XP
or Windows Server 2003
OSDInstallEditionIndex: Not needed post-Windows Vista
OSDPreserveDriveLetter: For more information, see OSDPreserveDriveLetter

OSDPreserveDriveLetter

） Important

This task sequence variable is deprecated.

During an OS deployment, by default, Windows Setup determines the best drive

letter to use (typically C:).

Previous behavior: when applying an image, the OSDPreverveDriveLetter variable

determines whether the task sequence uses the drive letter captured in the image file
(WIM). Set the value for this variable to false to use the location that you specify for
the Destination setting in the Apply Operating System task sequence step. For more
information, see Apply OS image.

See also
Task sequence steps
Using task sequence variables
Planning considerations for automating tasks
Prestart commands for task sequence
media in Configuration Manager
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

You can create a prestart command in Configuration Manager to use with boot media,
stand-alone media, and prestaged media. The prestart command is a script or
executable that runs before the task sequence is selected and can interact with the user
in Windows PE. The prestart command can prompt a user for information and save it in
the task sequence environment or query a task sequence variable for information. When
the destination computer boots, the command-line is run before the policy is
downloaded from the management point. Use the following procedures to create a
script to use for the prestart command, distribute the content associated with the
prestart command, and configure the prestart command in media.

Create a script file to use for the Prestart

Command
Task sequence variables can be read and written by using the
Microsoft.SMS.TSEnvironment COM object while the task sequence is running. The
following example illustrates a Visual Basic script file that queries the _SMSTSLogPath
task sequence variable to get the current log location. The script also sets a custom
variable.

VBScript

dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")

dim logPath

' You can query the environment to get an existing variable.

logPath = env("_SMSTSLogPath")

' You can also set a variable in the OSD environment.

env("MyCustomVariable") = "varname"

Create a Package for the Script File and

Distribute the Content
After you create the script or executable for the prestart command, you must create a
package source to host the files for the script or executable, create a package for the
files (no program required), and then distribute the content to a distribution point.

For more information about creating a package, see Packages and programs.

For more information about distributing content, see Distribute content.

Configure the Prestart Command in Media

You can configure a prestart command in the Create Task Sequence Media Wizard for
stand-alone media, bootable media, or prestaged media. For more information about
the media types, see Create task sequence media. Use the following procedure to create
a prestart command in media.

To create a prestart command in media

1. In the Configuration Manager console, click Software Library.

2. In the Software Library workspace, expand Operating Systems, and then click Task
Sequences.

3. On the Home tab, in the Create group, click Create Task Sequence Media to start
the Create Task Sequence Media Wizard.

4. On the Select Media Type page, select Stand-alone media, Bootable media, or
Prestaged media, and then click Next.

5. Navigate to the Customization page of the wizard. For more information about
configuring the other pages in the wizard, see Create task sequence media.

6. On the Customization page, specify the following information, and then click Next.

Select Enable prestart command.

In the Command line text box, enter the script or executable that you created
for the prestart command.

） Important

Use cmd /C <prestart command> to specify the prestart command. For

example, if you used TSScript.vbs as the name for your prestart
command script, you would enter cmd /C TSScript.vbs for the command
line. Where cmd /C opens a new Windows command interpreter window
and uses the Path environment variable to find the prestart command
script or executable. You can also specify the full path to the prestart
 command, but the drive letter could be different on computers with
different drive configurations.

Select Include files for the prestart command.

Click Set to select the package that is associated with the prestart command
files.

Click Browse to select the distribution point that hosts the content for the
prestart command.

7. Complete the wizard.

Provisioning mode
Article • 10/04/2022

Applies to: Configuration Manager (current branch)

During an OS deployment task sequence, Configuration Manager places the client in

provisioning mode. (An OS deployment task sequence includes in-place upgrade.) In
this state, the client doesn't process policy from the site. This behavior allows the task
sequence to run without risk of additional deployments running on the client. When the
task sequence completes, either success or handled failure, it exits client provisioning
mode.

If the task sequence unexpectedly fails, the client can be left in provisioning mode. For
example, if the device restarts in the middle of task sequence processing, and it's unable
to recover. An administrator must manually identify and fix clients in this state.

Manually remove provisioning mode

If a client is left in provisioning mode, use this manual process to return the client to
normal operation.

PowerShell

Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name

SetClientProvisioningMode -ArgumentList $false

） Important

One of the changes made by this WMI method is setting a registry value, but it
makes other changes as well. Just changing the registry value doesn't fully take the
client out of provisioning mode. If you manually edit the registry, the client may
exhibit unexpected behaviors.

Client provisioning mode timeout

The task sequence sets a timestamp when it puts the client in provisioning mode. Every
60 minutes, a client in provisioning mode checks the duration of time since the
timestamp. If it's been in provisioning mode for more than 48 hours, the client
automatically exits provisioning mode and restarts its process.
48 hours is the default provisioning mode timeout value. You can adjust this timer on a
device by setting the ProvisioningMaxMinutes value in the following registry key:
HKLM\Software\Microsoft\CCM\CcmExec . The value is specified in minutes. If this value

doesn't exist or is 0 , the client uses the default 48 hours.

The timestamp ProvisioningEnabledTime is located in the following registry key:

HKLM\Software\Microsoft\CCM\CcmExec . The timestamp has a value of the last time the

machine entered provisioning mode. The format is epoch (Unix timestamp) and is in
UTC.

This timestamp is also reset to the current time when you manually place the machine in
provisioning mode by using the following command:

PowerShell

Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name

SetClientProvisioningMode -ArgumentList $true

Process flow diagrams

These diagrams show the process flow for the task sequence and the client.

Task sequence
The following diagram shows how the task sequence sets provisioning mode:
Client remediation
The following diagram shows how the client exits provisioning mode:
See also
Setup Windows and ConfigMgr

Upgrade Operating System