Contents

OS deployment documentation
Understand
Introduction to OS deployment
Plan and design
Infrastructure requirements for OS deployment
Planning considerations for automating tasks
Scenarios to deploy enterprise operating systems
OS deployment scenarios overview
Upgrade Windows to the latest version
Windows Autopilot for existing devices
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Replace an existing computer and transfer settings
Security and privacy for OS deployment
Planning for OS deployment interoperability
Get started
Prepare site system roles for OS deployments
Preparing for OS deployment
Prepare for OS deployment
Boot images
Manage boot images
Customize boot images
OS images
Manage OS images
Customize OS images
Manage OS upgrade packages
Manage drivers
Manage user state
Prepare for unknown computer deployments
 Associate users with a destination computer
Prepare Windows PE peer cache to reduce WAN traffic
Deploy and use
Methods to deploy enterprise operating systems
OS deployment methods
Use PXE to deploy Windows over the network
Use Software Center to deploy Windows over the network
Use bootable media to deploy Windows over the network
Use stand-alone media to deploy Windows without using the network
Use multicast to deploy Windows over the network
Create an image for an OEM in factory or a local depot
Create a task sequence for non-OS deployments
Deploy Windows to Go
Manage and create task sequences
Create task sequences to automate tasks
Create a task sequence to install an OS
Create a task sequence to upgrade an OS
Task sequence steps to manage BIOS to UEFI conversion
Create a task sequence to capture an OS
Create a task sequence to capture and restore user state
Create a custom task sequence
Deploy a task sequence
Create a phased deployment
Manage and monitor phased deployments
Manage Windows as a service
Monitor OS deployments
Debug a task sequence
Configure pre-cache content
Create task sequence media
Task sequence media overview
Create stand-alone media
Create prestaged media
 Create bootable media
Create capture media
Technical references
Use the task sequence editor
User experiences for OS deployment
Task sequence steps
About task sequence steps
Install Software Updates
Pre-provision BitLocker in Windows PE
How to use task sequence variables
Task sequence variables
Prestart commands for task sequence media
Provisioning mode
 Introduction to operating system deployment in
Configuration Manager
4/20/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use Configuration Manager to deploy operating systems in a number of different ways. Use the
information in this section to understand how to deploy operating systems and automate tasks.

The operating system deployment process

Configuration Manager provides several methods that you can use to deploy an operating system. There are
several actions that you must take regardless of the deployment method that you use:
Identify Windows device drivers that are required to start the boot image or install the operating system
image that you have to deploy.
Identify the boot image that you want to use to start the destination computer.
Use a task sequence to capture an image of the operating system that you will deploy. Alternatively, you can
use a default operating system image.
Distribute the boot image, operating system image, and any related content to a distribution point.
Create a task sequence with the steps to deploy the boot image and the operating system image.
Deploy the task sequence to a collection of computers.
Monitor the deployment.

Operating system deployment scenarios

There are many operating system deployment scenarios in Configuration Manager that you can choose from
depending on your environment and the purpose for the operating system installation. For example, you can
partition and format an existing computer with a new version of Windows or upgrade Windows to the latest
version. To help you determine the deployment method that meets your needs, review Scenarios to deploy
enterprise operating systems. You can choose from the following operating system deployment scenarios:
Upgrade Windows to the latest version
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Replace an existing computer and transfer settings

Methods to deploy operating systems

There are several methods that you can use to deploy operating systems to Configuration Manager client
computers.
PXE initiated deployments : PXE-initiated deployments let client computers request a deployment over the
network. In this method of deployment, the operating system image and a Windows PE boot image are sent
to a distribution point that is configured to accept PXE boot requests. For more information, see Use PXE to
 deploy Windows over the network with Configuration Manager.
Make operating systems available in Software Center : You can deploy an operating system and make
it available in the Software Center. Configuration Manager clients can initiate the operating system
installation from Software Center. For more information, see Replace an existing computer and transfer
settings.
Multicast deployments : Multicast deployments conserve network bandwidth by concurrently sending
data to multiple clients instead of sending a copy of the data to each client over a separate connection. In this
method of deployment, the operating system image is sent to a distribution point. This in turn deploys the
image when client computers request the deployment. For more information, see Use multicast to deploy
Windows over the network.
Bootable media deployments : Bootable media deployments let you deploy the operating system when
the destination computer starts. When the destination computer starts, it retrieves the task sequence, the
operating system image, and any other required content from the network. Because that content is not
included on the media, you can update the content without having to re-create the media. For more
information, see Create bootable media.
Stand-alone media deployments : Stand-alone media deployments let you deploy operating systems in
the following conditions:
In environments where it is not practical to copy an operating system image or other large packages
over the network.
In environments without network connectivity or low bandwidth network connectivity.
For more information, see Create stand-alone media.
Pre-staged media deployments : Pre-staged media deployments let you deploy an operating system to a
computer that is not fully provisioned. The pre-staged media is a Windows Imaging Format (WIM) file that
can be installed on a bare-metal computer by the manufacturer or at an enterprise staging center that is not
connected to the Configuration Manager environment.
Later in the Configuration Manager environment, the computer starts by using the boot image provided by
the media, and then connects to the site management point for available task sequences that complete the
download process. This method of deployment can reduce network traffic because the boot image and
operating system image are already on the destination computer. You can specify applications, packages, and
driver packages to include in the pre-staged media. For more information, see Create prestaged media.

Boot images
A boot image in Configuration Manager is a Windows PE (WinPE) image that is used during an operating system
deployment. Boot images are used to start a computer in WinPE, which is a minimal operating system with limited
components and services that prepare the destination computer for Windows installation. Configuration Manager
provides two boot images: One to support x86 platforms and one to support x64 platforms. These are considered
default boot images. Boot images that you create and add to Configuration Manager are considered custom
images. Default boot images can be automatically replaced when you update Configuration Manager. For more
information about boot images, see Manage boot images.

Operating system images

Operating system images in Configuration Manager are stored in the Windows Imaging (WIM) file format and
represent a compressed collection of reference files and folders that are required to successfully install and
configure an operating system on a computer. For all operating system deployment scenarios, you must select an
operating system image. You can use the default operating system image or build the operating system image from
a reference computer that you configure. For more information, see Manage operating system images.

Operating system upgrade packages

Operating system upgrade packages are used to upgrade an operating system and are setup-initiated operating
system deployments. You import operating system upgrade packages to Configuration Manager from a DVD or
mounted ISO file. For more information, see Manage operating system upgrade packages.

Media to deploy operating systems

You can create several kinds of media that can be used to deploy operating systems. This includes capture media
that is used to capture operating system images and stand-alone, pre-staged, and bootable media that is used to
deploy an operating system. By using media, you can deploy operating systems on computers that do not have a
network connection or that have a low bandwidth connection to your Configuration Manager site. For more
information about how to use media, see Create task sequence media.

Device drivers
You can install device drivers on destination computers without including them in the operating system image that
is being deployed. Configuration Manager provides a driver catalog that contains references to all the device
drivers that you import into Configuration Manager. The driver catalog is located in the Software Librar y
workspace and consists of two nodes: Drivers and Driver Packages . The Drivers node lists all the drivers that
you have imported into the driver catalog. You can use this node to discover the details about each imported driver,
to change what driver package or boot image a driver belongs to, to enable or disable a driver, and more. For more
information, see Manage drivers.

Save and restore user state

When you deploy operating systems, you can save the user state from the destination computer, deploy the
operating system, and then restore the user state after the operating systems is deployed. This process is typically
used when you install the operating system on a Configuration Manager client computer.
The user state information is captured and restored by using task sequences. When the user state information is
captured, the information can be stored in one of the following ways:
You can store the user state data remotely by configuring a state migration point. The Capture task sequence
sends the data to the state migration point. Then, after the operating system is deployed, the Restore task
sequence retrieves the data and restores the user state on the destination computer.
You can store the user state data locally to a specific location. In this scenario, the Capture task sequence
copies the user data to a specific location on the destination computer. Then, after the operating system is
deployed, the Restore task sequence retrieves the user data from that location.
You can specify hard links that can be used to restore the user data to its original location. In this scenario,
the user state data remains on the drive when the old operating system is removed. Then, after the operating
system is deployed, the Restore task sequence uses the hard links to restore the user state data to its original
location.
For more information Manage user state.

Deploy to unknown computers

You can deploy an operating system to computers that are not managed by Configuration Manager. There is no
record of these computers in the Configuration Manager database. These computers are referred to as unknown
computers. Unknown computers include the following:
 A computer where the Configuration Manager client is not installed
A computer that is not imported into Configuration Manager
A computer that is not discovered by Configuration Manager
For more information, see Prepare for unknown computer deployments.

Associate users with a computer

When you deploy an operating system, you can associate users with the destination computer to support user
device affinity actions. When you associate a user with the destination computer, the administrative user can later
perform actions on whichever computer is associated with that user, such as deploying an application to the
computer of a specific user. However, when you deploy an operating system, you cannot deploy the operating
system to the computer of a specific user. For more information, see Associate users with a destination computer.

Use task sequences to automate steps

You can create task sequences to perform a variety of tasks within your Configuration Manager environment. The
actions of the task sequence are defined in the individual steps of the sequence. When the task sequence is run, the
actions of each step are performed at the command-line level without requiring user intervention. You can use task
sequences for the following:
Create a task sequence to install an operating system
Create a task sequence for non-operating system deployments
Create a task sequence to capture an operating system
Create a task sequence to capture and restore user state
Create a custom task sequence
 Infrastructure requirements for OS deployment in
Configuration Manager
9/4/2020 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

OS deployment in Configuration Manager has external dependencies as well as dependencies within the product.
Use this article to help you prepare the infrastructure for OS deployment.

Dependencies external to Configuration Manager

This section provides information about external tools, installation kits, and OS versions that are required to deploy
operating systems in Configuration Manager.
Windows ADK for Windows 10
The Windows Assessment and Deployment Kit (ADK) is a set of tools and documentation that support the
configuration and deployment of Windows. Configuration Manager uses the Windows ADK to automate actions
such as installing Windows, capturing images, and migrating user profiles and data.
For more information, see the following articles:
Windows ADK for Windows 10 scenarios for IT Pros
Download the Windows ADK for Windows 10

IMPORTANT
Make sure to download both the Windows ADK for Windows 10 and the Windows PE add-on for the ADK .

Support for Windows 10

Site systems
The Windows ADK is a prerequisite for the following site systems servers:
The site server of the top-level site in the hierarchy
The site server of each primary site in the hierarchy
Every instance of the SMS Provider

NOTE
Manually install the Windows ADK on each site server before you install the Configuration Manager site.

Windows ADK features

Install the following features of the Windows ADK:
User State Migration Tool (USMT)
 NOTE
USMT isn't required on the SMS Provider.

Windows Deployment Tools

Windows Preinstallation Environment (Windows PE)

IMPORTANT
Starting with Windows 10 version 1809, Windows PE is a separate installer. Otherwise there's no functional difference.

For a list of the versions of the Windows 10 ADK that you can use with different versions of Configuration
Manager, see Support for Windows 10.
User State Migration Tool (USMT )
Configuration Manager uses a USMT package that includes the USMT 10 source files to capture and restore the
user state as part of your OS deployment. Configuration Manager setup at the top-level site automatically creates
the USMT package. USMT 10 captures user state from Windows 7, Windows 8, Windows 8.1, and Windows 10.
For more information, see the following articles:
Common Migration Scenarios for USMT 10
Manage user state
Windows PE
Windows PE is used for boot images to start a computer. It's a Windows version with limited services that's used
during the pre-installation and deployment of Windows. The following list includes the supported versions of the
Windows ADK for Configuration Manager, current branch:
Windows ADK version
Windows ADK for Windows 10. For more information, see Support For Windows 10.
Windows PE versions for boot images customizable from the Configuration Manager console
Windows PE 10
Supported Windows PE versions for boot images not customizable from the Configuration Manager console
Windows PE 3.11 and Windows PE 5
1 You can only add a boot image to Configuration Manager
when it's based on Windows PE 3.1. Install the
Windows AIK Supplement for Windows 7 SP1 to upgrade Windows AIK for Windows 7 (based on Windows PE 3)
with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1). Download the Windows AIK
Supplement for Windows 7 SP1 from the Microsoft Download Center.
For example, when you have Configuration Manager, you can customize boot images from Windows ADK for
Windows 10 (based on Windows PE 10) from the Configuration Manager console. However, while boot images
based on Windows PE 5 are supported, you must customize them from a different computer and use the version
of DISM that's installed with Windows ADK for Windows 8. Then add the boot image to the Configuration Manager
console. For more information with the steps to customize a boot image (add optional components and drivers),
enable command support to the boot image, add the boot image to the Configuration Manager console, and
update distribution points with the boot image, see Customize boot images. For more information about boot
images, see Manage boot images.
Windows Server Update Services (WSUS )
WSUS is required for the software update point, which is required to install software updates during OS
deployment. For more information, see Install a configure a software update point.
Internet Information Services (IIS ) on the site system servers
IIS is required for the distribution point, state migration point, and management point. For more information, see
Site and site system prerequisites.
Windows Deployment Services (WDS )
In version 1802 and prior, WDS is needed for PXE deployments. Starting in version 1806, you can enable PXE on a
distribution point without WDS. For more information, see Windows Deployment Services in this article.
Dynamic Host Configuration Protocol (DHCP)
DHCP is required for PXE deployments. You must have a functioning DHCP server with an active host to deploy
operating systems by using PXE. For more information about PXE deployments, see Use PXE to deploy Windows
over the network.
Supported operating systems and hard disk configurations
For more information about the OS versions and hard disk configurations that are supported by Configuration
Manager when you deploy operating systems, see Supported operating systems and Supported disk
configurations.
Windows device drivers
Windows device drivers can be used when you install the OS on the destination computer. They're also used when
you run Windows PE in a boot image. For more information, see Manage drivers.

Configuration Manager dependencies

This section provides information about Configuration Manager OS deployment prerequisites.
OS image
OS images in Configuration Manager are stored in the Windows Imaging (WIM) file format. They represent a
compressed collection of reference files and folders. These images are required to successfully install and
configure an OS on a computer. For more information, see Manage OS images.
Driver catalog
To deploy a device driver, import the device driver, enable it, and make it available on a distribution point that the
Configuration Manager client can access. For more information about the driver catalog, see Manage drivers.
Management point
Management points transfer information between clients and the Configuration Manager site. The client uses a
management point to run the task sequence to complete the OS deployment. For more information about task
sequences, see Planning considerations for automating tasks.
Distribution point
Distribution points are used in most deployments to store the data that's used to deploy an OS, such as the image
or driver packages. Task sequences typically retrieve data from a distribution point to deploy the OS. For more
information about how to install distribution points and manage content, see Manage content and content
infrastructure.
PXE-enabled distribution point
To deploy PXE-initiated deployments, configure a distribution point to accept PXE requests from clients. For more
information, see Configure a distribution point.
Multicast-enabled distribution point
To optimize your OS deployments by using multicast, configure a distribution point to support multicast. For more
information, see Configure a distribution point.
State migration point
When you capture and restore user state data for side-by-side and refresh deployments, configure a state
migration point to store the user state data on another computer.
For more about how to configure the state migration point, see State migration point.
For more information about how to capture and restore user state, see Manage user state.
Reporting services point
To use Configuration Manager reports for OS deployments, install and configure a reporting point. For more
information, see Introduction to reporting.
Security permissions for OS deployments
The Operating System Deployment Manager security role is a built-in role that you can't change. However,
you can copy the role, make changes, and then save these changes as a new custom security role. Here are some of
the permissions that apply directly to OS deployments:
Boot Image Package : Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope
Device Drivers : Create, Delete, Modify, Modify Folder, Modify Report, Move Object, Read, Run Report
Driver Package : Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope
Operating System Image : Create, Delete, Modify, Modify Folder, Move Object, Read, Set Security Scope
Operating System Upgrade Package : Create, Delete, Modify, Modify Folder, Move Object, Read, Set
Security Scope
Task Sequence Package : Create, Create Task Sequence Media, Delete, Modify, Modify Folder, Modify
Report, Move Object, Read, Run Report, Set Security Scope
For more information, see Create custom security roles.
Security scopes for OS deployments
Use security scopes to provide administrative users with access to the securable objects used in OS deployments,
such as OS and boot images, driver packages, and task sequence packages. For more information, see Security
scopes.

Windows Deployment Services

In version 1802 and prior, Windows Deployment Services (WDS) must be installed on the same server as the
distribution points that you configure to support PXE or multicast. WDS is included in the server OS. For PXE
deployments, WDS is the service that performs the PXE boot. When the distribution point is installed and enabled
for PXE, Configuration Manager installs a provider into WDS that uses the WDS PXE boot functions.
Starting in version 1806, you can enable PXE on a distribution point without WDS. For more information, see the
Enable a PXE responder without Windows Deployment Ser vice option in Install and configure distribution
points.

NOTE
If the server requires a restart, the installation of WDS might fail.

WDS requirements
The WDS installation on the server requires that the administrator is a member of the local Administrators
group.
 The WDS server must be either a member of an Active Directory domain or a domain controller for an
Active Directory domain. All Windows domain and forest configurations support WDS.
If the provider is installed on a remote server, install WDS on the site server and the remote provider.
Considerations when you have WDS and DHCP on the same server
If you plan to co-host the distribution point on a server running DHCP, consider the following configuration issues:
You must have a functioning DHCP server with an active scope. WDS uses PXE, which requires a DHCP
server.
A DNS server is required to run WDS.
The following UDP ports must be open on the WDS server:
Port 67 (DHCP)
Port 69 (TFTP)
Port 4011 (PXE)

NOTE
If DHCP authorization is required on the server, you need DHCP client port 68 to be open on the server.

DHCP and WDS both require port number 67. If you co-host WDS and DHCP, you can move DHCP or the
distribution point that's configured for PXE to a separate server. Or, you can use the following procedure to
configure the WDS server to listen on a different port.
To configure the WDS server to listen on a different port
1. Modify the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Providers\WDSPXE

2. Set the registry value UseDHCPPor ts to 0 .

3. For the new configuration to take effect, run the following command on the server:
WDSUTIL /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes

NOTE
In version 1810 and earlier, it's not supported to use the PXE responder without WDS on servers that are also running a
DHCP server.
Starting in version 1902, when you enable a PXE responder on a distribution point without Windows Deployment Service, it
can now be on the same server as the DHCP service. For more information, see Configure at least one distribution point to
accept PXE requests.

Supported operating systems

All Windows operating systems listed as supported clients in Supported operating systems for clients and devices
are supported for OS deployment.

Supported disk configurations

The hard disk configuration combinations on the reference and destination computers that are supported for
Configuration Manager OS deployment are shown in the following table:
 REF EREN C E C O M P UT ER H A RD DISK C O N F IGURAT IO N DEST IN AT IO N C O M P UT ER H A RD DISK C O N F IGURAT IO N

Basic disk Basic disk

Simple volume on a dynamic disk Simple volume on a dynamic disk

Configuration Manager supports capturing an OS image only from computers that are configured with simple
volumes. There's no support for the following hard disk configurations:
Spanned volumes
Striped volumes (RAID 0)
Mirrored volumes (RAID 1)
Parity volumes (RAID 5)
The following table shows an additional hard disk configuration on the reference and destination computers that
isn't supported with Configuration Manager OS deployment.

REF EREN C E C O M P UT ER H A RD DISK C O N F IGURAT IO N DEST IN AT IO N C O M P UT ER H A RD DISK C O N F IGURAT IO N

Basic disk Dynamic disk

Next steps
Prepare site system roles for OS deployments
Prepare for OS deployment
 Plan for automating tasks in Configuration Manager
4/20/2020 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can create task sequences to automate tasks in your Configuration Manager environment. These tasks range
from capturing an OS on a reference computer to deploying the OS to one or more destination computers. The
actions of the task sequence are defined in the individual steps of the sequence. When the task sequence runs, it
runs the actions of each step at the command-line level in the Local System context. This behavior means the task
sequence runs fully automated with no user intervention.

Task sequence steps and actions

Steps are the basic components of a task sequence. They can include commands such as:
Configure and capture the OS of a reference computer
Install Windows, hardware drivers, the Configuration Manager client, and software on the destination computer
The actions of the step define the commands of a task sequence step. There are two types of actions:
An action that you define by using a command-line string is referred to as a custom action
An action that's predefined by Configuration Manager is referred to as a built-in action.
A task sequence can do any combination of custom and built-in actions.
Task sequence steps can also include conditions that control how the step behaves. These behaviors include
stopping the task sequence, or continuing the task sequence if an error occurs. One type of condition is a task
sequence variable. For example, use the SMSTSLastActionRetCode variable to test the condition of the previous
step. Add conditions to a single step or a group of steps.
The task sequence processes steps sequentially. This sequence includes the action of the step and any conditions
on the step. When Configuration Manager starts to process a task sequence step, it doesn't start the next step until
the previous action is complete.
A task sequence is considered complete when:
All its steps are complete
A failed step causes Configuration Manager to stop running the task sequence before all its steps are
completed.
For example, if the step of a task sequence can't locate a referenced image or package on a distribution point, the
task sequence includes a broken reference. Configuration Manager stops running the task sequence at that point,
unless the failed step has a condition to continue when an error occurs.

IMPORTANT
By default, a task sequence fails after one step or action fails. If you want the task sequence to continue even when a step
fails, edit the task sequence, switch to the Options tab, and then select Continue on error .

For more information about the steps that can be added to a task sequence, see Task sequence steps.

Task sequence groups

You can group multiple steps within a task sequence. A task sequence group consists of a name, an optional
description, and any optional conditions. The task sequence evaluates the group conditions as a unit before it
continues with the next step. Nest groups within each other, or include a mixture of steps and subgroups. Groups
are useful for combining multiple steps that share a common condition.
Assign a name to task sequence groups. It doesn't have to be unique. You can also provide an optional description
for the task sequence group.

IMPORTANT
By default, a task sequence group fails when any step or embedded group within the group fails. If you want the task
sequence to continue when a step or embedded group fails, set the Continue on error option on the step or group.

The following table shows how the Continue on error option works when you group steps.
In this example, there are two groups of task sequences that include three task sequence steps each.

TA SK SEQ UEN C E GRO UP O R ST EP C O N T IN UE O N ERRO R SET T IN G

Task sequence group 1 Continue on error selected.

Task sequence step 1 Continue on error selected.

Task sequence step 2 Not set.

Task sequence step 3 Not set.

Task sequence group 2 Not set.

Task sequence step 4 Not set.

Task sequence step 5 Not set.

Task sequence step 6 Not set.

If task sequence step 1 fails, the task sequence continues with task sequence step 2.
If task sequence step 2 fails, the task sequence doesn't run task sequence step 3. Because task sequence
group 1 is configured to Continue on error , the task sequence continues to task sequence group 2. It runs
task sequence step 4 next.
If task sequence step 4 fails, no more steps are run. The task sequence fails because the Continue on error
setting isn't configured for task sequence group 2.

Add child task sequences to a task sequence

Add a new task sequence step that runs another task sequence. This step creates a parent-child relationship
between the task sequences. Using this step allows you to create more modular task sequences that you can reuse.
For more information, see Run Task Sequence.
 NOTE
Configuration Manager doesn't enable this optional feature by default. You must enable this feature before using it. For
more information, see Enable optional features from updates.

Task sequence variables

Task sequence variables are a set of name and value pairs. They supply configuration and OS deployment settings
for computer, OS, and user state configuration tasks on a Configuration Manager client. Task sequence variables
provide a mechanism to configure and customize the steps in a task sequence.
When you run a task sequence, it stores many of the task sequence settings as environment variables. You can
access or change the values of built-in task sequence variables. You can also create new task sequence variables to
customize the way a task sequence runs on a destination computer.
Use task sequence variables to do the following actions:
Configure settings for a task sequence action
Supply command-line arguments for a task sequence step
Evaluate a condition that determines whether a task sequence step or group runs
Provide values for custom scripts used in a task sequence
For example, you have a task sequence that includes a Join Domain or Workgroup task sequence step. Deploy
the task sequence to different collections, where the membership of the collection is determined by domain
membership. Specify a per-collection task sequence variable for each collection's domain name. Then use that task
sequence variable to supply the appropriate domain name in the task sequence.
For more information, see How to use task sequence variables.

Create a task sequence

Create task sequences by using the Create Task Sequence Wizard. The wizard can create built-in task sequences
that do specific tasks or custom task sequences that can do many different tasks. The wizard lets you create the
following types of task sequences:
Install an existing OS image on a destination computer
Build and capture an OS image of a reference computer
Upgrade to Windows 10 from an OS upgrade package on a destination computer
Create a custom task sequence that does a customized task or specialized OS deployment
For more information, see Create task sequences.

Edit a task sequence

Edit the task sequence by using the Task Sequence Editor . The editor can make the following changes to the task
sequence:
Add or remove steps from the task sequence
Change the order of the steps of the task sequence
Add or remove groups of steps
 Specify whether the task sequence continues when an error occurs
Add conditions to the steps and groups of a task sequence

IMPORTANT
If the task sequence has any unassociated references to an object as a result of the edit, the editor requires you fix the
reference before it can close. Possible actions include:
Correct the reference
Delete the unreferenced object from the task sequence
Temporarily disable the failed task sequence step until the broken reference is corrected or removed

For more information about how to edit task sequences, see Use the task sequence editor.

Deploy a task sequence

Deploy a task sequence to destination computers that are in any Configuration Manager collection. Use the built-in
All Unknown Computers collection to deploy operating systems to unknown computers. You can't deploy a task
sequence to user collections.

IMPORTANT
Don't deploy task sequences that install operating systems to inappropriate collections. Be sure that the collection to which
you deploy the task sequence includes only those computers where you want to install the OS. To help prevent unwanted
OS deployments, configure settings for high-risk deployments. For more information, see Settings to manage high-risk
deployments.

Each destination computer that receives the task sequence runs the task sequence according to the settings
specified in the deployment. The task sequences itself doesn't contain associated files or programs. Any files that a
task sequence references must already be present on the destination computer or stored on a distribution point
that clients can access.

NOTE
The task sequence installs packages that are referenced by programs, even if the program or package is already installed on
the destination computer.
If the task sequence installs an application, the application installs only if the requirement rules for the application are met,
and the application isn't already installed, based on the detection method that's specified for the application.

The Configuration Manager client runs a task sequence deployment when it downloads client policy. To trigger this
action rather than wait until the next polling cycle, see Initiate policy retrieval for a Configuration Manager client.
When you deploy task sequences to Windows Embedded devices that are enabled with a write filter, you can
specify whether to disable the write filter on the device during the deployment and then restart the device after the
deployment. If the write filter isn't disabled, the task sequence is deployed to a temporary overlay and it won't be
available when the device restarts.
 NOTE
When you deploy a task sequence to a Windows Embedded device, ensure that the device is a member of a collection that
has a configured maintenance window. This allows you to manage when the write filter is disabled and enabled, and when
the device restarts.
If clients download task sequences outside of a maintenance window, the task sequence is downloaded twice. In this
scenario, the client downloads the task sequence, disables the write filter, restarts the computer, and then downloads the
task sequence again. This behavior is because the task sequence was originally downloaded to the temporary overlay, which
is cleared when the device restarts.

For more information about how to deploy task sequences, see the Deploy a task sequence.

Export and import

Configuration Manager lets you export and import task sequences. When you export a task sequence, you can
include the objects that are referenced by the task sequence.
For more information, see Export and import task sequences.

Run a task sequence

Task sequences always run by using the Local System account. When the task sequence runs, the Configuration
Manager client first checks for any referenced packages before it starts the steps of the task sequence. If it can't
validate or download a referenced package, the task sequence returns an error for the associated task sequence
step.

NOTE
The task sequence step Run Command Line provides the ability to run a command as a different account.

If you configure a task sequence deployment to download and run, the Configuration Manager client downloads
all dependent content to its cache. If the client cache size is too small or the content can't be found, the task
sequence fails. The client generates a status message.
You can also specify that the client downloads the content only when it's required. To do this action, select
Download content locally when needed by running task sequence in the task sequence deployment.
Another option is to Run program from distribution point . With this option, the client installs the files directly
from the distribution point without downloading them into the cache first.
When you configure the task sequence deployment as Available , if the client can't locate dependent content for
the task sequence, it immediately sends an error. For a Required deployment, the Configuration Manager client
waits in this situation. It retries to download the content until the deadline, in case the content isn't yet replicated to
a content location that the client can access.
When a task sequence completes successfully or fails, Configuration Manager records this state in the client
history.
Once a task sequence starts on a computer, you can't cancel or stop it.

IMPORTANT
If a task sequence step requires the computer to restart, the client must be able to boot to a formatted disk partition.
Otherwise, the task sequence fails regardless of any error handling that you specify in the task sequence.
When a dependent object of a task sequence is updated to a newer version, any task sequence that references the
package is automatically updated. It references the newest version, no matter how many updates you've deployed.

Use maintenance windows

You can specify when the task sequence can run by defining a maintenance window for the device collection. You
configure maintenance windows with a start date, a start and finish time, and a recurrence pattern. When you set
the schedule for the maintenance window, you can specify that the maintenance window applies only to task
sequences. For more information, see How to use maintenance windows.

IMPORTANT
When you configure a maintenance window to run a task sequence, once the task sequences starts it continues to run even
if the maintenance window closes.

If a device has more than one maintenance window applied, the client may ignore an All deployments
maintenance window. Starting in version 1810, use the following client setting to control this behavior: Enable
installation of software updates in "All deployments" maintenance window when "Software Update"
maintenance window is available . For more information, see About client settings

Task sequences and the network access account

IMPORTANT
Some OS deployment scenarios don't require use of the network access account. For more information, see Enhanced HTTP.

Although task sequences run only in the context of the Local System account, you might need to configure the
network access account in the following circumstances:
If the task sequence tries to access Configuration Manager content on distribution points. Correctly
configure the network access account, or the task sequence will fail.
When you use a boot image to initiate an OS deployment. In this case, Configuration Manager uses the
Windows PE environment, which isn't a full OS. The Windows PE environment uses an automatically
generated, random name that isn't a member of any domain. If you don't correctly configure the network
access account, the computer can't access the required content for the task sequence.

NOTE
The network access account is never used as the security context for running programs, installing applications, installing
updates, or running task sequences. The network access account is only used to access the associated resources on the
network.

For more information about the network access account, see Network access account.
Enhanced HTTP
When you enable Enhanced HTTP , the following scenarios don't require a network access account to download
content from a distribution point:
Task sequences running from boot media or PXE
Task sequences running from Software Center
These task sequences can be for OS deployment or custom. It's also supported for workgroup computers.
For more information, see Enhanced HTTP.

NOTE
The following OS deployment scenarios still require the use of a network access account:
The task sequence deployment option, Access content directly from a distribution point when needed by the
running task sequence
The Request State Store step option, If computer account fails to connect to a state store, use the network
access account
When connecting with an untrusted domain or across Active Directory forests
The Apply OS Image step option, Access content directly from the distribution point
The task sequence advanced setting to Run another program first
Multicast

Create media
You can write task sequences and their related files and dependencies to several types of media. Configuration
Manager supports removable media such as a DVD or a USB flash drive for capture, stand-alone, and bootable
media. Prestaged media uses a Windows image (WIM) file.
When you create media, specify a password to control access. Then a person must enter the password at the target
computer to run the task sequence.
When you run a task sequence from media, the specified processor architecture of the media isn't recognized. If
the specified architecture doesn't match the target computer, the task sequence still attempts to run. If the
architecture of the media doesn't match the architecture of the target computer, the task sequence fails.
For more information, see Create task sequence media.
Media types
Configuration Manager supports the following types of media:
Capture media
This media captures an OS image that you configure and create outside of the Configuration Manager
infrastructure. Capture media can contain custom programs that can run before a task sequence runs. The custom
program can interact with the desktop, prompt the user for input values, or create variables to be used by the task
sequence.
For more information, see Create capture media.
Stand-alone media
Stand-alone media contains the task sequence and all associated objects that are necessary for the task sequence
to run. Stand-alone media task sequences can run when Configuration Manager has limited or no connectivity to
the network. Run stand-alone media in the following ways:
If the destination computer isn't booted, the Windows PE image associated with the task sequence is used
from the stand-alone media, and the task sequence begins.
Manually start the stand-alone media. If a user is signed in to the computer, they can initiate the task
sequence from the media.
 IMPORTANT
The steps of a stand-alone media task sequence must be able to run without retrieving any data from the network.
Otherwise, the task sequence step that tries to retrieve the data fails. For example, a task sequence step that requires a
distribution point to obtain a package fails. If the stand-alone media contains the necessary package, the task sequence step
succeeds.

For more information, see Create stand-alone media.

Bootable media
Bootable media contains the required files to start a destination computer so that it can connect to the
Configuration Manager infrastructure. It then determines which task sequences to run based on its collection
memberships. This media doesn't include the task sequence or dependent objects. Instead, the client downloads
the content over the network. This method is useful for new computers or bare-metal deployments, when no OS is
on the destination computer.
For more information, see Create bootable media.
Prestaged media
Prestaged media deploys an OS image to a destination computer that isn't provisioned. The prestaged media is
stored as a Windows image (WIM) file. This file can be installed on a bare-metal computer by the manufacturer or
at an enterprise staging center. A benefit of prestaged media is that these locations don't require a connection to
your Configuration Manager environment.
For more information, see Create prestaged media.

Next steps
Security and privacy for OS deployment
Prepare site system roles for OS deployments
 Scenarios to deploy enterprise operating systems
with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following OS deployment scenarios are available in Configuration Manager:
Upgrade Windows to the latest version
This scenario upgrades the OS on computers that currently run Windows 7, Windows 8.1, or Windows 10. The
upgrade process keeps the applications, settings, and user data on the computer. There are no external
dependencies, such as the Windows ADK. This process can be faster and more resilient than traditional OS
deployments.
For more information, see Upgrade Windows to the latest version.
Windows Autopilot for existing devices
Starting in version 1810, Windows Autopilot for existing devices is available with Windows 10 version 1809 or
later. This feature allows you to reimage and provision a Windows 7 device for Windows Autopilot user-driven
mode using a single Configuration Manager task sequence.
For more information, see Windows Autopilot for existing devices.
Refresh an existing computer with a new version of Windows
This scenario partitions and formats (wipes) an existing computer and installs a new OS on the computer. You can
migrate settings and user data after the OS is installed.
For more information, see Refresh an existing computer with a new version of Windows.
Install a new version of Windows on a new computer (bare metal)
This scenario installs an OS on a new computer. It's a fresh installation of the OS and doesn't include any settings
or user data migration.
For more information, see Install a new version of Windows on a new computer (bare metal).
Replace an existing computer and transfer settings
This scenario installs an OS on a new computer. Optionally, you can migrate settings and user data from the old
computer to the new computer.
For more information, see Replace an existing computer and transfer settings.
 Upgrade Windows to the latest version with
Configuration Manager
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article provides the steps in Configuration Manager to upgrade the OS on a computer. You can choose from
different deployment methods, such as stand-alone media or Software Center. The in-place upgrade scenario has
the following features:
Upgrades the OS to Windows 10, or Windows Server 2016 and later
Keeps the applications, settings, and user data on the computer
Has no external dependencies, such as the Windows ADK
Is faster and more resilient than traditional OS deployments

NOTE
The Windows 10 in-place upgrade task sequence supports deployment to internet-based clients managed through the
cloud management gateway. This ability allows remote users to more easily upgrade to Windows 10 without needing to
connect to the intranet. For more information, see Deploy Windows 10 in-place upgrade via CMG.

Supported versions
Upgrade version
Only create OS upgrade packages to upgrade to the following OS versions:
Windows 10
Windows Server 2016
Windows Server 2019
Original version
Devices must run one of the following OS versions to target an OS upgrade task sequence:
Windows client
Windows 7
Windows 8.1
An earlier version of Windows 10. For example, you can upgrade Windows 10, version 1809 to Windows 10,
version 1903.
For more information, see Windows 10 upgrade paths.
Windows Server
Windows Server 2012
Windows Server 2012 R2
An earlier version of Windows Server 2016
An earlier version of Windows Server 2019
For more information about Windows Server supported upgrade paths, see Windows Server 2016 supported
upgrade paths and Windows Server Upgrade Center.

Plan
Task sequence requirements and limitations
Review the following requirements and limitations for the task sequence to upgrade an OS to make sure it meets
your needs:
Only add task sequence steps that are related to the core task of upgrading the OS. These steps primarily
include installing packages, applications, or updates. Also use steps that run command lines, PowerShell, or
set dynamic variables.
Review drivers and applications that are installed on computers. Before you deploy the upgrade task
sequence, make sure the drivers are compatible with Windows 10.
The following tasks aren't compatible with the in-place upgrade. They require you to use traditional OS
deployments:
Changing the computer's domain membership, or updating the local Administrators group.
Implementing a fundamental change on the computer, such as:
Changing disk partitions
Changing the system architecture from x86 to x64
Implementing UEFI. (For more information on a possible option, see Convert from BIOS to UEFI during
an in-place upgrade.)
Modifying the base OS language
You have custom requirements including using a custom base image, using third-party disk encryption, or
require WinPE offline operations.
Infrastructure requirements
The only prerequisite for the upgrade scenario is to have a distribution point available. Distribute the OS upgrade
package and any other packages that you include in the task sequence. For more information, see Install or modify
a distribution point.

Configure
Prepare the OS upgrade package
The Windows 10 upgrade package contains the source files necessary to upgrade the OS on the destination
computer. The upgrade package must be the same edition, architecture, and language as the clients that you
upgrade. For more information, see Manage OS upgrade packages.
Create a task sequence to upgrade the OS
Use the steps in Create a task sequence to upgrade an OS to automate the upgrade of the OS.

NOTE
To create a task sequence to upgrade an OS to Windows 10, you typically use the steps in Create a task sequence to
upgrade an OS. The task sequence includes the Upgrade OS step, as well as additional recommended steps and groups to
handle the end-to-end upgrade process.
You can create a custom task sequence and add the Upgrade OS step. This step is the only one required to upgrade the OS
to Windows 10. If you choose this method, to complete the upgrade, also add the Restart Computer step after the
Upgrade OS step. Be sure to use the The currently installed default operating system setting to restart the
computer into the installed OS and not Windows PE.
Deploy
To deploy the OS, use one of the following deployment methods:
Use Software Center to deploy Windows over the network
Use stand-alone media to deploy Windows without using the network

IMPORTANT
When you use stand-alone media, you must include a boot image in the task sequence. This configuration makes
the task sequence available in the Task Sequence Media Wizard.

Monitor
To monitor the task sequence deployment to upgrade the OS, see Monitor OS deployments.
 Windows Autopilot Deployment for existing devices
9/4/2020 • 14 minutes to read • Edit Online

Applies to: Windows 10

Modern desktop deployment with Windows Autopilot enables you to easily deploy the latest version of Windows
10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is
synchronized, so you can resume working right away.
This topic describes how to convert Windows 7 or Windows 8.1 domain-joined computers to Windows 10 devices
joined to either Azure Active Directory or Active Directory (Hybrid Azure AD Join) by using Windows Autopilot.

NOTE
Windows Autopilot for existing devices only supports user-driven Azure Active Directory and Hybrid Azure AD profiles. Self-
deploying profiles are not supported.

Prerequisites
A currently supported version of Microsoft Endpoint Configuration Manager current branch or technical
preview branch.
The Windows ADK 1803 or later
For more information on Configuration Manager support, see Support for Windows 10 ADK.
Assigned Microsoft Intune Licenses
Azure Active Directory Premium
Windows 10 version 1809 or later imported into Configuration Manager as an Operating System Image
Impor tant : See Known issues if you are using Windows 10 1903 with Configuration Manager’s built-in
Windows Autopilot existing device task sequence template. Currently, one of the steps in this task
sequence must be edited to work properly with Windows 10, version 1903.

Procedures
Configure the Enrollment Status Page (optional)
If desired, you can set up an enrollment status page for Autopilot using Intune.
To enable and configure the enrollment and status page:
1. Open Intune in the Azure portal.
2. Access Intune > Device enrollment > Windows enrollment and Set up an enrollment status page.
3. Access Azure Active Director y > Mobility (MDM and MAM) > Microsoft Intune and Configure
automatic MDM enrollment and configure the MDM user scope for some or all users.
See the following examples.
Create the JSON file

TIP
To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first
download and install the Windows Management Framework.

1. On an Internet connected Windows PC or server, open an elevated Windows PowerShell command window
2. Enter the following lines to install the necessary modules
Install required modules

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force

Install-Module AzureAD -Force
Install-Module WindowsAutopilotIntune -Force
Install-Module Microsoft.Graph.Intune -Force

3. Enter the following lines and provide Intune administrative credentials

Be sure that the user account you specify has sufficient administrative rights.

Connect-MSGraph

The user and password for your account will be requested using a standard Azure AD form. Type
your username and password and then click Sign in .
See the following example:
 If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and
write permissions for Microsoft Intune PowerShell. To enable these permissions:
Select Consent on behalf or your organization
Click Accept
4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format:
Retrieve profiles in Autopilot for existing devices JSON format

Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

See the following sample output: (use the horizontal scroll bar at the bottom to view long lines)

PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON

{
"CloudAssignedTenantId": "1537de22-988c-4e93-b8a5-83890f34a69b",
"CloudAssignedForcedEnrollment": 1,
"Version": 2049,
"Comment_File": "Profile Autopilot Profile",
"CloudAssignedAadServerData": "{\"ZeroTouchConfig\":
{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365
x373186.onmicrosoft.com\"}}",
"CloudAssignedTenantDomain": "M365x373186.onmicrosoft.com",
"CloudAssignedDomainJoinMethod": 0,
"CloudAssignedOobeConfig": 28,
"ZtdCorrelationId": "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
}

Each profile is encapsulated within braces { } . In the previous example, a single profile is displayed.
See the following table for a description of properties used in the JSON file.

P RO P ERT Y DESC RIP T IO N

Version (number, optional) The version number that identifies the format of the JSON
file. For Windows 10 1809, the version specified must be
2049.
 P RO P ERT Y DESC RIP T IO N

CloudAssignedTenantId (guid, required) The Azure Active Directory tenant ID that should be used.
This is the GUID for the tenant, and can be found in
properties of the tenant. The value should not include
braces.

CloudAssignedTenantDomain (string, required) The Azure Active Directory tenant name that should be
used, for example: tenant.onmicrosoft.com.

CloudAssignedOobeConfig (number, required) This is a bitmap that shows which Autopilot settings were
configured. Values include: SkipCortanaOptIn = 1,
OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4,
SkipOemRegistration = 8, SkipEula = 16

CloudAssignedDomainJoinMethod (number, required) This property specifies whether the device should join
Azure Active Directory or Active Directory (Hybrid Azure
AD Join). Values include: Active AD Join = 0, Hybrid Azure
AD Join = 1

CloudAssignedForcedEnrollment (number, required) Specifies that the device should require AAD Join and
MDM enrollment.
0 = not required, 1 = required.

ZtdCorrelationId (guid, required) A unique GUID (without braces) that will be provided to
Intune as part of the registration process.
ZtdCorrelationId will be included in enrollment message as
“OfflineAutoPilotEnrollmentCorrelator”. This attribute will
be present only if the enrollment is taking place on a
device registered with Zero Touch Provisioning via offline
registration.

CloudAssignedAadServerData (encoded JSON string, An embedded JSON string used for branding. It requires
required) AAD corp branding enabled.
Example value: "CloudAssignedAadServerData": "
{"ZeroTouchConfig":
{"CloudAssignedTenantUpn":"","CloudAssignedTenantDom
ain":"tenant.onmicrosoft.com"}}"

CloudAssignedDeviceName (string, optional) The name automatically assigned to the computer. This
follows the naming pattern convention that can be
configured in Intune as part of the Autopilot profile, or
can specify an explicit name to use.

5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to
Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file
format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory
(ex: c:\Autopilot) and save the profile as shown below: (use the horizontal scroll bar at the bottom if needed
to view the entire command string)

Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File

c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII

IMPORTANT : The file name must be named AutopilotConfigurationFile.json in addition to being

encoded as ASCII/ANSI.
If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose Save
 as you must select Save as type: All Files and choose ANSI from the drop-down list next to Encoding . See
the following example.

After saving the file, move the file to a location suitable as a Microsoft Endpoint Configuration Manager
package source.

IMPORTANT
Multiple JSON profile files can be used, but each must be named AutopilotConfigurationFile.json in order for
OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause
Windows 10 OOBE to not follow the Autopilot experience .

Create a package containing the JSON file

1. In Configuration Manager, navigate to \Software Librar y\Over view\Application Management\Packages
2. On the ribbon, click Create Package
3. In the Create Package and Program Wizard enter the following Package and Program Type details:
Name: Autopilot for existing devices config
Select the This package contains source files checkbox
Source folder: Click Browse and specify a UNC path containing the AutopilotConfigurationFile.json file.
Click OK and then click Next .
Program Type: Do not create a program
4. Click Next twice and then click Close .
NOTE : If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON
file and redistribute the associated Configuration Manager package.
Create a target collection

NOTE
You can also choose to reuse an existing collection
1. Navigate to \Assets and Compliance\Over view\Device Collections
2. On the ribbon, click Create and then click Create Device Collection
3. In the Create Device Collection Wizard enter the following General details:
Name: Autopilot for existing devices collection
Comment: (optional)
Limiting collection: Click Browse and select All Systems

NOTE
You can optionally choose to use an alternative collection for the limiting collection. The device to be
upgraded must be running the ConfigMgr agent in the collection that you select.

4. Click Next , then enter the following Membership Rules details:

Click Add Rule and specify either a direct or query based collection rule to add the target test
Windows 7 devices to the new collection.
For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use
Name as the attribute, click Add Rule > Direct Rule > (wizard opens) > Next and then enter
PC-01 next to Value . Click Next , and then choose PC-01 under Resources . See the following
examples.
5. Continue creating the device collection with the default settings:
Use incremental updates for this collection: not selected
Schedule a full update on this collection: default
Click Next twice and then click Close
Create an Autopilot for existing devices Task Sequence

TIP
The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the
Configuration Manager conole under Software Librar y\Over view\Operating Systems\Boot images and verify that
the OS Version is 10.0.17134.1 (Windows 10 version 1803) or later.

1. In the Configuration Manager console, navigate to \Software Librar y\Over view\Operating

Systems\Task Sequences
2. On the Home ribbon, click Create Task Sequence
3. Select Install an existing image package and then click Next
4. In the Create Task Sequence Wizard enter the following details:
Task sequence name: Autopilot for existing devices
Boot Image: Click Browse and select a Windows 10 boot image (1803 or later)
Click Next , and then on the Install Windows page click Browse and select a Windows 10 Image
package and Image Index , version 1803 or later.
Select the Par tition and format the target computer before installing the operating system
checkbox.
Select or clear Configure task sequence for use with BitLocker checkbox. This is optional.
Product Key and Server licensing mode: Optionally enter a product key and server licensing mode.
Randomly generate the local administrator password and disable the account on all support
platforms (recommended): Optional.
 Enable the account and specify the local administrator password: Optional.
Click Next , and then on the Configure Network page choose Join a workgroup and specify a name
(ex: workgroup) next to Workgroup .

IMPORTANT
The Autopilot for existing devices task sequence will run the Prepare Windows for capture action which
uses the System Preparation Tool (sysprep). This action will fail if the target machine is joined to a domain.

IMPORTANT
The System Preparation Tool (sysprep) will run with the /Generalize parameter which, on Windows 10 versions
1903 and 1909, will delete the Autopilot profile file and the machine will boot into OOBE phase instead of
Autopilot phase. To fix this issue, please see Windows Autopilot - known issues.

5. Click Next , and then click Next again to accept the default settings on the Install Configuration Manager
page.
6. On the State Migration page, enter the following details:
Clear the Capture user settings and files checkbox.
Clear the Capture network settings checkbox.
Clear the Capture Microsoft Windows settings checkbox.
Click Next .

NOTE
Because the Autopilot for existing devices task sequence completes while in Windows PE, User State
Migration Toolkit (USMT) data migration is not supported as there is no way to restore the user state into the
new OS. Also, the User State Migration Toolkit (USMT) does not support Azure AD-joined devices.

7. On the Include Updates page, choose one of the three available options. This selection is optional.
8. On the Install applications page, add applications if desired. This is optional.
9. Click Next , confirm settings, click Next , and then click Close .
10. Right click on the Autopilot for existing devices task sequence and click Edit .
11. In the Task Sequence Editor under the Install Operating System group, click the Apply Windows
Settings action.
12. Click Add then click New Group .
13. Change the group Name from New Group to Autopilot for existing devices config .
14. Click Add , point to General , then click Run Command Line .
15. Verify that the Run Command Line step is nested under the Autopilot for existing devices config
group.
16. Change the Name to Apply Autopilot for existing devices config file and paste the following into the
Command line text box, and then click Apply :
 cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\
/c

AutopilotConfigurationFile.json must be the name of the JSON file present in the Autopilot for
existing devices package created earlier.
17. In the Apply Autopilot for existing devices config file step, select the Package checkbox and then click
Browse .
18. Select the Autopilot for existing devices config package created earlier and click OK . An example is
displayed at the end of this section.
19. Under the Setup Operating System group, click the Setup Windows and Configuration Manager
task.
20. Click Add and then click New Group .
21. Change Name from New Group to Prepare Device for Autopilot
22. Verify that the Prepare Device for Autopilot group is the very last step in the task sequence. Use the
Move Down button if necessary.
23. With the Prepare device for Autopilot group selected, click Add , point to Images and then click
Prepare ConfigMgr Client for Capture .
24. Add a second step by clicking Add , pointing to Images , and clicking Prepare Windows for Capture . Use
the following settings in this step:
Automatically build mass storage driver list: Not selected
Do not reset activation flag: Not selected
Shut down the computer after running this action: Optional

25. Click OK to close the Task Sequence Editor.

 NOTE
On Windows 10 1903 and 1909, the AutopilotConfigurationFile.json is deleted by the Prepare Windows for
Capture step. See Windows Autopilot - known issues for more information and a workaround.

Deploy Content to Distribution Points

Next, ensure that all content required for the task sequence is deployed to distribution points.
1. Right click on the Autopilot for existing devices task sequence and click Distribute Content .
2. Click Next , Review the content to distribute , and then click Next .
3. On the Specify the content distribution page click Add to specify either a Distribution Point or Distribution
Point Group .
4. On the Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will
allow the JSON file to be retrieved when the task sequence is run.
5. When you are finished specifying content distribution, click Next twice then click Close .
Deploy the OS with Autopilot Task Sequence
1. Right click on the Autopilot for existing devices task sequence and then click Deploy .
2. In the Deploy Software Wizard enter the following General and Deployment Settings details:
Task Sequence: Autopilot for existing devices .
Collection: Click Browse and then select Autopilot for existing devices collection (or another
collection you prefer).
Click Next to specify Deployment Settings .
Action: Install .
Purpose: Available . You can optionally select Required instead of Available . This is not recommended
during the test owing to the potential impact of inadvertent configurations.
Make available to the following: Only Configuration Manager Clients . Note: Choose the option here
that is relevant for the context of your test. If the target client does not have the Configuration Manager
agent or Windows installed, you will need to select an option that includes PXE or Boot Media.
Click Next to specify Scheduling details.
Schedule when this deployment will become available: Optional
Schedule when this deployment will expire: Optional
Click Next to specify User Experience details.
Show Task Sequence progress: Selected.
Software Installation: Not selected.
System restart (if required to complete the installation): Not selected.
Commit changed at deadline or during a maintenance windows (requires restart): Optional.
Allow task sequence to be run for client on the Internet: Optional
Click Next to specify Aler ts details.
Create a deployment alert when the threshold is higher than the following: Optional.
Click Next to specify Distribution Points details.
Deployment options: Download content locally when needed by the running task sequence .
When no local distribution point is available use a remote distribution point: Optional.
Allow clients to use distribution points from the default site boundary group: Optional.
Click Next , confirm settings, click Next , and then click Close .
Complete the client installation process
1. Open the Software Center on the target Windows 7 or Windows 8.1 client computer. You can do this by
clicking Start and then typing software in the search box, or by typing the following at a Windows
 PowerShell or command prompt:

C:\Windows\CCM\SCClient.exe

2. In the software library, select Autopilot for existing devices and click Install . See the following example:

The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then
proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and
provide an Autopilot experience.
 NOTE
If joining devices to Active Directory (Hybrid Azure AD Join), it is necessary to create a Domain Join device configuration
profile that is targeted to "All Devices" (since there is no Azure Active Directory device object for the computer to do group-
based targeting). See User-driven mode for hybrid Azure Active Directory join for more information.

Register the device for Windows Autopilot

Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once
updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of
PC reset. You can enable automatic registration for an assigned group using the Conver t all targeted devices to
Autopilot setting. For more information, see Create an Autopilot deployment profile.
Also see Adding devices to Windows Autopilot.

Speeding up the deployment process

To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for
Speeding up Windows Autopilot for existing devices.
 Refresh an existing computer with a new version of
Windows
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Configuration Manager to partition and format an existing computer and then install a new OS. This process
is sometimes called reimaging or wipe and load. For this scenario, choose from many different deployment
methods, such as PXE, bootable media, or Software Center. You can also use a state migration point to store
settings, and then restore them to the new OS.
To choose the right OS deployment scenario, see Scenarios to deploy enterprise operating systems.

Plan
Plan for and implement infrastructure requirements
There are several infrastructure requirements that must be in place before you can deploy an OS. Some of these
requirements include the Windows ADK, the User State Migration Tool (USMT), and Windows Deployment
Services (WDS). For more information, see Infrastructure requirements for OS deployment.
Install a state migration point
If you want to capture settings from an existing computer, and then restore the settings to the new OS, consider
using a state migration point. For more information, see State migration point.

Configure
Prepare a boot image
Boot images start a computer in a Windows PE environment. Windows PE is a minimal OS with limited
components and services. From Windows PE, Configuration Manager can then install a full Windows OS on the
computer.
For more information, see the following articles:
Manage boot images
Customize boot images
Distribute content
Prepare an OS image
The OS image contains the files necessary to install the OS on the destination computer.
For more information, see the following articles:
Manage OS images
Distribute content
Create a task sequence to deploy an OS
Use a task sequence to automate the installation of the OS. Depending on the deployment method that you
choose, there might be additional considerations for the task sequence.
For more information, see the following articles:
 Create a task sequence to install an OS
Manage user state

Deploy
Use one of the following deployment methods to deploy the OS:
Use PXE to deploy Windows over the network
Use multicast to deploy Windows over the network
Create an image for an OEM in factory or a local depot
Use stand-alone media to deploy Windows without using the network
Use bootable media to deploy Windows over the network
Use Software Center to deploy Windows over the network

Monitor
For more information, see Monitor OS deployments.

NOTE
When you reimage a UEFI device, Windows Boot Manager creates a new entry in the boot loader. This behavior is most
noticeable when you repeatedly reimage a device, such as in a test environment or a student lab. It generally doesn't impact
the performance or usage of the device. If the list gets too large, some specific hardware devices may encounter functional
issues. For example, not booting to an external USB drive, or not able to select the current boot entry from the list. Use the
Windows bcdedit command to clear unused boot entries. For more information, see BCDEdit /deletevalue.
 Install a new version of Windows on a new computer
(bare metal) with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic provides the general steps in Configuration Manager to install an operating system on a new computer.
For this scenario, you can choose from many different deployment methods, such as PXE, OEM, or stand-alone
media. If you are unsure that this is the right operating system deployment scenario for you, see Scenarios to
deploy enterprise operating systems.
Use the following sections to refresh an existing computer with a new version of Windows.

Plan
Plan for and implement infrastructure requirements
There are several infrastructure requirements that must be in place before you can deploy operating
systems, such as Windows ADK, Windows Deployment Services (WDS), supported hard disk
configurations, etc. For more information, see Infrastructure requirements for operating system
deployment.

Configure
1. Prepare a boot image
Boot images start a computer in a Windows PE environment (a minimal operating system with limited
components and services) that can then install a full Windows operating system on the computer. When
you deploy operating systems, you must select a boot image to use and distribute the image to a
distribution point. Use the following to prepare the boot image:
To learn more about boot images, see Manage boot images.
For more information about how to customize a boot image, see Customize boot images.
Distribute the boot image to distribution points. For more information, see Distribute content.
2. Prepare an operating system image
The operating system image contains the files necessary to install the operating system on the destination
computer. Use the following to prepare the operating system image:
To learn more about how to create an operating system image, see Manage operating system
images.
Distribute the operating system image to distribution points. For more information, see Distribute
content.
 NOTE
New installations of Windows can also be performed from installation source files via OS upgrade packages, but use
OS images such as install.wim instead.
Deploying new installations of Windows via OS upgrade packages is still supported, but is dependent on drivers
being compatible with this method. When installing Windows from an OS upgrade package, drivers are installed
while still in Windows PE versus simply being injected while in Windows PE. Some drivers are not compatible with
being installed while in Windows PE. If drivers are not compatible with being installed while in Windows PE, then use
an OS image instead.

3. Create a task sequence to deploy operating systems over the network

Use a task sequence to automate the installation of the operating system over the network. Use the steps
in Create a task sequence to install an operating system to create the task sequence to deploy the
operating system. Depending on the deployment method that you choose, there might be additional
considerations for the task sequence.

Deploy
Use one of the following deployment methods to deploy the operating system:
Use PXE to deploy Windows over the network
Use multicast to deploy Windows over the network
Create an image for an OEM in factory or a local depot
Use stand-alone media to deploy Windows without using the network
Use bootable media to deploy Windows over the network

Monitor
Monitor the task sequence deployment
To monitor the task sequence deployment to install the operating system, see Monitor operating system
deployments.
 Replace an existing computer and transfer settings
with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic provides the general steps in Configuration Manager to replace an existing computer with a new
computer. For this scenario, you can choose from many different deployment methods, such as bootable media,
multicast, or Software Center. You can also choose to install a state migration point to store settings and then
restore them to the new operating system after it is installed. If you are unsure that this is the right operating
system deployment scenario for you, see Scenarios to deploy enterprise operating systems.
Use the following sections to refresh an existing computer with a new version of Windows.

Plan
Plan for and implement infrastructure requirements
There are several infrastructure requirements that must be in place before you can deploy operating
systems, such as Windows ADK, User State Migration Tool (USMT), Windows Deployment Services (WDS),
supported hard disk configurations, etc. For more information, see Infrastructure requirements for
operating system deployment
Install a state migration point (required only if you transfer settings)
When you are going to capture settings from the existing computer, and then restore the settings to the
new operating system, you must install a state migration point. For more information, see State migration
point.

Configure
1. Prepare a boot image
Boot images start a computer in a Windows PE environment (a minimal operating system with limited
components and services) that can then install a full Windows operating system on the computer. When
you deploy operating systems, you must select a boot image to use and distribute the image to a
distribution point. Use the following to prepare the boot image:
To learn more about boot images, see Manage boot images.
For more information about how to customize a boot image, see Customize boot images.
Distribute the boot image to distribution points. For more information, see Distribute content.
2. Prepare an operating system image
The operating system image contains the files necessary to install the operating system on the destination
computer. Use the following to prepare the operating system image:
To learn more about how to create an operating system image, see Manage operating system
images.
Distribute the operating system image to distribution points. For more information, see Distribute
content.
3. Create a task sequence to deploy operating systems over the network
Use a task sequence to automate the installation of the operating system over the network. Use the steps in
Create a task sequence to install an operating system to create the task sequence to deploy the operating
system. Depending on the deployment method that you choose, there might be additional considerations
for the task sequence.

NOTE
In this scenario, if you capture and restore user settings and files, you can choose to use a state migration point or
save the files locally. For more information, see Manage user state.

Deploy
Use one of the following deployment methods to deploy the operating system:
Use Software Center to deploy Windows over the network
Use bootable media to deploy Windows over the network
Use multicast to deploy Windows over the network
Create an image for an OEM in factory or a local depot

Monitor
Monitor the task sequence deployment
To monitor the task sequence deployment to install the operating system, see Monitor operating system
deployments.
 Security and privacy for OS deployment in
Configuration Manager
4/20/2020 • 11 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article contains security and privacy information for the OS deployment feature in Configuration Manager.

Security best practices for OS deployment

Use the following security best practices for when you deploy operating systems with Configuration Manager:
Implement access controls to protect bootable media
When you create bootable media, always assign a password to help secure the media. Even with a password, it only
encrypts files that contain sensitive information, and all files can be overwritten.
Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client
authentication certificate.
To help prevent a client from installing content or client policy that has been tampered with, the content is hashed
and must be used with the original policy. If the content hash fails or the check that the content matches the policy,
the client won't use the bootable media. Only the content is hashed. The policy isn't hashed, but it's encrypted and
secured when you specify a password. This behavior makes it more difficult for an attacker to successfully modify
the policy.
Use a secure location when you create media for OS images
If unauthorized users have access to the location, they can tamper with the files that you create. They can also use
all the available disk space so that the media creation fails.
Protect certificate files
Protect certificate files (.pfx) with a strong password. If you store them on the network, secure the network channel
when you import them into Configuration Manager
When you require a password to import the client authentication certificate that you use for bootable media, this
configuration helps to protect the certificate from an attacker.
Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering
with the certificate file.
Block or revoke any compromised certificates
If the client certificate is compromised, block the certificate from Configuration Manager. If it's a PKI certificate,
revoke it.
To deploy an OS by using bootable media and PXE boot, you must have a client authentication certificate with a
private key. If that certificate is compromised, block the certificate in the Cer tificates node in the Administration
workspace, Security node.
Secure the communication channel between the site server and the SMS Provider
When the SMS Provider is remote from the site server, secure the communication channel to protect boot images.
When you modify boot images and the SMS Provider is running on a server that isn't the site server, the boot
images are vulnerable to attack. Protect the network channel between these computers by using SMB signing or
IPsec.
Enable distribution points for PXE client communication only on secure network segments
When a client sends a PXE boot request, you have no way to make sure that the request is serviced by a valid PXE-
enabled distribution point. This scenario has the following security risks:
A rogue distribution point that responds to PXE requests could provide a tampered image to clients.
An attacker could launch a man-in-the-middle attack against the TFTP protocol that is used by PXE. This
attack could send malicious code with the OS files. The attacker could also create a rogue client to make
TFTP requests directly to the distribution point.
An attacker could use a malicious client to launch a denial of service attack against the distribution point.
Use defense in depth to protect the network segments where clients access PXE-enabled distribution points.

WARNING
Because of these security risks, don't enable a distribution point for PXE communication when it's in an untrusted network,
such as a perimeter network.

Configure PXE-enabled distribution points to respond to PXE requests only on specified network interfaces
If you allow the distribution point to respond to PXE requests on all network interfaces, this configuration might
expose the PXE service to untrusted networks
Require a password to PXE boot
When you require a password for PXE boot, this configuration adds an extra level of security to the PXE boot
process. This configuration helps safeguard against rogue clients joining the Configuration Manager hierarchy.
Restrict content in OS images used for PXE boot or multicast
Don't include line-of-business applications or software that contains sensitive data in an image that you use for PXE
boot or multicast.
Because of the inherent security risks involved with PXE boot and multicast, reduce the risks if a rogue computer
downloads the OS image.
Restrict content installed by task sequence variables
Don't include line-of-business applications or software that contains sensitive data in packages of applications that
you install by using task sequences variables.
When you deploy software by using task sequences variables, it might be installed on computers and to users who
aren't authorized to receive that software.
Secure the network channel when migrating user state
When you migrate user state, secure the network channel between the client and the state migration point by using
SMB signing or IPsec.
After the initial connection over HTTP, user state migration data is transferred by using SMB. If you don't secure the
network channel, an attacker can read and modify this data.
Use the latest version of USMT
Use the latest version of the User State Migration Tool (USMT) that Configuration Manager supports.
The latest version of USMT provides security enhancements and greater control for when you migrate user state
data.
Manually delete folders on state migration points when you decommission them
When you remove a state migration point folder in the Configuration Manager console on the state migration
point properties, the site doesn't delete the physical folder. To protect the user state migration data from
information disclosure, manually remove the network share and delete the folder.
Don't configure the deletion policy to immediately delete user state
If you configure the deletion policy on the state migration point to immediately remove data that's marked for
deletion, and if an attacker manages to retrieve the user state data before the valid computer does, the site
immediately deletes the user state data. Set the Delete after interval to be long enough to verify the successful
restore of user state data.
Manually delete computer associations
Manually delete computer associations when the user state migration data restore is complete and verified.
Configuration Manager doesn't automatically remove computer associations. Help to protect the identity of user
state data by manually deleting computer associations that are no longer required.
Manually back up the user state migration data on the state migration point
Configuration Manager Backup doesn't include the user state migration data in the site backup.
Implement access controls to protect the prestaged media
Control physical access to the media to prevent an attacker from using cryptographic attacks to obtain the client
authentication certificate and sensitive data.
Implement access controls to protect the reference computer imaging process
Make sure the reference computer you use to capture OS images is in a secure environment. Use appropriate
access controls so that unexpected or malicious software can't be installed and inadvertently included in the
captured image. When you capture the image, make sure the destination network location is secure. This process
helps make sure the image can't be tampered with after you capture it.
Always install the most recent security updates on the reference computer
When the reference computer has current security updates, it helps to reduce the window of vulnerability for new
computers when they first start up.
Implement access controls when deploying an OS to an unknown computer
If you must deploy an OS to an unknown computer, implement access controls to prevent unauthorized computers
from connecting to the network.
Provisioning unknown computers provides a convenient method to deploy new computers on demand. But it can
also allow an attacker to efficiently become a trusted client on your network. Restrict physical access to the
network, and monitor clients to detect unauthorized computers.
Computers responding to a PXE-initiated OS deployment might have all data destroyed during the process. This
behavior could result in a loss of availability of systems that are inadvertently reformatted.
Enable encryption for multicast packages
For every OS deployment package, you can enable encryption when Configuration Manager transfers the package
by using multicast. This configuration helps prevent rogue computers from joining the multicast session. It also
helps prevent attackers from tampering with the transmission.
Monitor for unauthorized multicast-enabled distribution points
If attackers can gain access to your network, they can configure rogue multicast servers to spoof OS deployment.
When you export task sequences to a network location, secure the location and secure the network channel
Restrict who can access the network folder.
Use SMB signing or IPsec between the network location and the site server to prevent an attacker from tampering
with the exported task sequence.
If you use the task sequence run as account, take additional security precautions
If you use the task sequence run as account, take the following precautionary steps:
Use an account with the least possible permissions.
Don't use the network access account for this account.
Never make the account a domain administrator.
Never configure roaming profiles for this account. When the task sequence runs, it downloads the roaming
profile for the account, which leaves the profile vulnerable to access on the local computer.
Limit the scope of the account. For example, create different task sequence run as accounts for each task
sequence. If one account is compromised, only the client computers to which that account has access are
compromised. If the command line requires administrative access on the computer, consider creating a local
administrator account solely for the task sequence run as account. Create this local account on all computers
that run the task sequence, and delete the account as soon as it's no longer required.
Restrict and monitor the administrative users who are granted the OS deployment manager security role
Administrative users who are granted the OS deployment manager security role can create self-signed
certificates. These certificates can then be used to impersonate a client and obtain client policy from Configuration
Manager.
Use Enhanced HTTP to reduce the need for a network access account
Starting in version 1806, when you enable Enhanced HTTP, several OS deployment scenarios don't require a
network access account to download content from a distribution point. For more information, see Task sequences
and the network access account.

Security issues for OS deployment

Although OS deployment can be a convenient way to deploy the most secure operating systems and
configurations for computers on your network, it does have the following security risks:
Information disclosure and denial of service
If an attacker can obtain control of your Configuration Manager infrastructure, they could run any task sequences.
This process might include formatting the hard drives of all client computers. Task sequences can be configured to
contain sensitive information, such as accounts that have permissions to join the domain and volume licensing
keys.
Impersonation and elevation of privileges
Task sequences can join a computer to domain, which can provide a rogue computer with authenticated network
access.
Protect the client authentication certificate that's used for bootable task sequence media and for PXE boot
deployment. When you capture a client authentication certificate, this process gives an attacker an opportunity to
obtain the private key in the certificate. This certificate lets them impersonate a valid client on the network. In this
scenario, the rogue computer can download policy, which can contain sensitive data.
If clients use the network access account to access data stored on the state migration point, these clients effectively
share the same identity. They could access state migration data from another client that uses the network access
account. The data is encrypted so only the original client can read it, but the data could be tampered with or
deleted.
Client authentication to the state migration point is achieved by using a Configuration Manager token that is
issued by the management point.
Configuration Manager doesn't limit or manage the amount of data that's stored on the state migration point. An
attacker could fill up the available disk space and cause a denial of service.
If you use collection variables, local administrators can read potentially sensitive information
Although collection variables offer a flexible method to deploy operating systems, this feature might result in
information disclosure.

Privacy information for OS deployment

In addition to deploying an OS to computers without one, Configuration Manager can be used to migrate users'
files and settings from one computer to another. The administrator configures which information to transfer,
including personal data files, configuration settings, and browser cookies.
Configuration Manager stores the information on a state migration point, and encrypts it during transmission and
storage. Only the new computer associated with the state information can retrieve the stored information. If the
new computer loses the key to retrieve the information, a Configuration Manager administrator with the View
Recover y Information right on computer association instance objects can access the information and associate it
with a new computer. After the new computer restores the state information, it deletes the data after one day, by
default. You can configure when the state migration point removes data marked for deletion. Configuration
Manager doesn't store the state migration information in the site database, and doesn't send it to Microsoft.
If you use boot media to deploy OS images, always use the default option to password-protect the boot media. The
password encrypts any variables stored in the task sequence, but any information not stored in a variable might be
vulnerable to disclosure.
OS deployment can use task sequences to perform many different tasks during the deployment process, which
includes installing applications and software updates. When you configure task sequences, you should also be
aware of the privacy implications of installing software.
Configuration Manager doesn't implement OS deployment by default. It requires several configuration steps
before you collect user state information or create task sequences or boot images.
Before you configure OS deployment, consider your privacy requirements.

See also
Diagnostics and usage data
Security and privacy for Configuration Manager
 Plan for OS deployment interoperability
4/20/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When different Configuration Manager sites in a single hierarchy use different versions, some Configuration
Manager functionality isn't available. Typically, functionality from the newer version of Configuration Manager isn't
accessible at sites or by clients that run a lower version. For more information, see Interoperability between
different versions of Configuration Manager.

Objects
Consider the following objects when you upgrade the top-level site in your hierarchy and other sites in your
hierarchy run Configuration Manager with a lower version:
Client installation package
The source for the default client installation package is automatically upgraded. All distribution points in the
hierarchy are updated with the new client installation package. This behavior happens even on distribution
points at sites in the hierarchy that are at a lower version.
You can't assign new version clients to sites that you haven't yet upgraded to the new version. Assignment is
blocked at the management point.
Boot images
When you upgrade the top-level site to the latest version of Configuration Manager, it automatically updates
the default boot images (x86 and x64). The update uses the Windows ADK for Windows 10, which includes
Windows PE 10. The files that are associated with the default boot images are updated with the latest
Configuration Manager version of the files. The site doesn't automatically update custom boot images. You
need to manually update custom boot images, which include older Windows PE versions.
When your site hierarchy contains sites with different versions of Configuration Manager, avoid the use of
dynamic media. Instead, use site-based media to contact a specific management point. After you update all
sites to the same version of Configuration Manager, you can use dynamic media again.
Verify that the latest Configuration Manager boot images include your customizations. Then update all
distribution points at the new version sites with the latest version of the new boot images.
User State Migration Tool (USMT )
When you upgrade the top-level site to the latest version of Configuration Manager, it automatically updates the
default USMT package to the latest version. It doesn't automatically update any custom USMT packages. You need
to manually update these packages.
New task sequence steps
Periodically, new task sequence steps are introduced with new versions of Configuration Manager. When you
deploy a task sequence with a new step to older clients, the task sequence step fails. Before you deploy a task
sequence with a new step, make sure the clients in the target collection are updated to the new version.
OS deployment media
When the site is updated to a new version, update all media with the new Configuration Manager client package.
These media types include bootable, capture, prestaged, and stand-alone.
Third-party extensions to OS deployment
When you have third-party extensions to OS deployment and you have different versions of Configuration
Manager sites or Configuration Manager clients, there might be issues with the extensions.

Latest version of Configuration Manager sites in a mixed hierarchy

When you upgrade a site to latest version of Configuration Manager, task sequences that reference the default
client installation package automatically start to deploy the latest Configuration Manager client version.
Task sequences that reference a custom client installation package continue to deploy the version of the client that's
contained in that custom package. Custom packages likely include an earlier version of the Configuration Manager
client. To avoid task sequence deployment failures, update any custom client installation packages to the latest
version.
When you configure a task sequence to use a custom client installation package, do one of the following actions:
Update the task sequence step to use the latest Configuration Manager version of the client installation package
Update the custom package to use the latest Configuration Manager client installation source

IMPORTANT
Don't deploy a task sequence that references the latest Configuration Manager client installation package to clients in an
older Configuration Manager site. When clients assigned to an older Configuration Manager site are upgraded to the latest
Configuration Manager client version, Configuration Manager blocks the assignment to the older Configuration Manager
site. These clients are no longer assigned to any site. Until you manually assign the client to the latest Configuration Manager
site, or reinstall the older Configuration Manager version of the client on the computer, these clients are unmanaged.

Older versions of Configuration Manager in a mixed hierarchy

When you upgrade your central administration site to the latest version of Configuration Manager, make sure that
OS deployment task sequences that you deploy don't leave those clients in an unmanaged state. For example, if you
deploy to clients assigned to an older Configuration Manager site that you haven't yet upgraded to the latest
version of Configuration Manager.
Make a copy of a task sequence that you use to deploy to clients in the latest version of Configuration Manager site.
Then modify the task sequence so you can deploy it to clients in an older Configuration Manager site. Configure the
task sequence to reference a custom client installation package that uses the older Configuration Manager client
installation source. If you don't already have a custom client installation package that references the older
Configuration Manager client installation source, manually create one.

IMPORTANT
Starting in version 1902, you can't deploy a package or task sequence to a client version 5.7730 or earlier. To work around
this limitation, upgrade the client to a later version.
 Prepare site system roles for OS deployments with
Configuration Manager
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

To deploy operating systems in Configuration Manager, first prepare the following site system roles that require
specific configurations and considerations.

Distribution points
The distribution point site system role hosts source files for clients to download. This content is for applications,
software updates, OS images, boot images, and driver packages. Control content distribution by using bandwidth,
throttling, and scheduling options.
It's important that you have enough distribution points to support the deployment of operating systems to
computers. It's also important that you plan for the placement of these distribution points in your hierarchy. For
more information, see Manage content and content infrastructure. This article includes some additional planning
considerations for distribution points specific to OS deployment.
Additional planning considerations for distribution points
The following items are additional planning things to consider for distribution points:
How can I prevent unwanted OS deployments?
Configuration Manager doesn't distinguish site servers from other destination computers in a collection. If you
deploy a required task sequence to a collection that includes a site server, it runs the task sequence the same way
as any other computer in the collection. Make sure that your OS deployment uses a collection that includes the
intended clients.
Manage the behavior for high-risk task sequence deployments. A high-risk deployment automatically installs on a
client and has the potential to cause unwanted results. For example, a task sequence with a purpose of required
that deploys an OS. To reduce the risk of an unwanted high-risk deployment, configure deployment verification
settings. For more information, see Settings to manage high-risk deployments.
How many computers can receive an OS image at one time from a single distribution point?
To estimate how many distribution points you need, consider the following variables:
The processing speed of the distribution point
The disk speed of the distribution point
The available bandwidth on the network
The size of the image package
For example, if you don't consider any other server resource factors, the maximum number of computers that can
process a 4-GB image package in one hour on a 100-megabit/sec Ethernet network is 11 computers.
100 megabits/sec = 12.5 megabytes/sec = 750 megabytes/min = 45 gigabytes/hour = 11 images @ 4 GB per image

If you must deploy an OS to a specific number of computers within a specific time frame, distribute the image to
an appropriate number of distribution points.
Can I deploy an OS to a distribution point?
You can deploy an OS to a distribution point, but the OS image must be received from a different distribution
point.
Configuring distribution points to accept PXE requests
To deploy operating systems to Configuration Manager clients that make PXE boot requests, configure one or more
distribution points to accept PXE requests. Once you configure the distribution point, it responds to PXE boot
requests and determines the appropriate deployment action to take. For more information, see Install or modify a
distribution point.
Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points
You can customize the RamDisk TFTP block and window sizes for PXE-enabled distribution points. If you've
customized your network, a large block or window size could cause the boot image download to fail with a time-
out error. The RamDisk TFTP block and window size customizations allow you to optimize TFTP traffic when using
PXE to meet your specific network requirements. To determine what configuration is most efficient, test the
customized settings in your environment.
TFTP block size : The block size is the size of the data packets that the server sends to the client that is
downloading the file. A larger block size allows the server to send fewer packets, so there are fewer round-
trip delays between the server and the client. However, a large block size leads to fragmented packets, which
most PXE client implementations do not support.
TFTP window size : TFTP requires an acknowledgment (ACK) packet for each block of data that is sent. The
server does not send the next block in the sequence until it receives the ACK packet for the previous block.
TFTP windowing enables you to define how many data blocks it takes to fill a window. The server sends the
data blocks back-to-back until the window is filled, and then the client sends an ACK packet. If you increase
this window size, it reduces the number of round-trip delays between the client and server, and it decreases
the overall required time to download a boot image.
Modify the RamDisk TFTP window size
To customize the RamDisk TFTP window size, add the following registry key on PXE-enabled distribution points:
Location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name : RamDiskTFTPWindowSize
Type : REG_DWORD
Value : (customized window size)
The default value is 1 (one data block fills the window).
Modify the RamDisk TFTP block size
To customize the RamDisk TFTP window size, add the following registry key on PXE-enabled distribution points:
Location : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\DP
Name : RamDiskTFTPBlockSize
Type : REG_DWORD
Value : (customized block size)
The default value is 4096 .

NOTE
Both Windows Deployment Services and the Configuration Manager PXE responder service support these TFTP
configurations.

Configure distribution points to support multicast

Multicast is a network optimization method. Use it on distribution points when multiple clients are likely to
download the same OS image at the same time. When you use multicast, multiple computers can simultaneously
download the OS image as it's multicast by the distribution point. Without multicast, the distribution point sends a
copy of the data to each client over a separate connection. For more information, see Use multicast to deploy
Windows over the network.
Before you deploy the OS, configure a distribution point to support multicast. For more information, see Install and
configure distribution points.

State migration point

The state migration point stores user state data that USMT captures on one computer, and then restores on
another computer. However, when you capture user settings for an OS deployment on the same computer, such as
a deployment where you refresh Windows on the destination computer, you can choose whether to store the data
on the same computer by using hard-links or use a state migration point. For some computer deployments, when
you create the state store, Configuration Manager automatically creates an association between the state store and
the destination computer. As you plan for the state migration point, consider the following factors:
User state size
The size of the user state directly affects disk storage on the state migration point and network performance during
the migration. Consider the size of the user state and the number of computers to migrate. Consider also what
settings to migrate from the computer. For example, if the My Documents folder is already backed up to a server,
then perhaps you don't have to migrate it as part of the image deployment. Avoiding unnecessary migrations
keeps the overall size of the user state smaller, and decreases the effect it would otherwise have on network
performance and disk storage on the state migration point.
User State Migration Tool
To capture and restore the user state during the deployment of the operating systems, use a User State Migration
Tool (USMT) package that points to the USMT source files. Configuration Manager automatically creates this
package in the Configuration Manager console in Software Librar y > Application Management > Packages .
Configuration Manager uses USMT 10 to capture the user state from one OS and then restore it to another. The
Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 includes USMT 10.
For a description of different migration scenarios for USMT 10, see Common Migration Scenarios in the Windows
documentation.
Retention policy
When you configure the state migration point, specify the length of time to keep the user state data that it stores.
The length of time to keep the data on the state migration point depends on two considerations:
The effect that the stored data has on disk storage.
The potential requirement to keep the data for a time in case you must migrate the data again.
State migration occurs in two phases: capturing the data, and restoring the data. When you capture data, the user
state data is collected and saved to the state migration point. When you restore the data, the user state data is
retrieved from the state migration point, written to the destination computer, and then the Release State Store
task sequence step releases the stored data. When the data is released, the retention timer starts. If you select the
option to delete migrated data immediately, the user state data is deleted as soon as it's released. If you select the
option to keep the data for a certain period of time, the data is deleted when that period of time elapses after the
state data is released. The longer you set the retention period, the more disk space you're likely to require.
Select drive to store user state migration data
When you configure the state migration point, specify the drive on the server to store the user state migration
data. You select a drive from a fixed list of drives. However, some of these drives might represent non-writable
drives, such as the CD drive, or a non-network share drive. Some drive letters might not be mapped to any drives
on the computer. Specify a writable, shared drive when you configure the state migration point.
Configure a state migration point
Use the following methods to configure a state migration point to store the user state data:
Use the Create Site System Ser ver Wizard to create a new site system server for the state migration
point.
Use the Add Site System Roles Wizard to add a state migration point to an existing server.
When you use these wizards, you're prompted to provide the following information for the state migration point:
The folders to store the user state data.
The maximum number of clients that can store data on the state migration point.
The minimum free space for the state migration point to store user state data.
The deletion policy for the role. Either specify that the user state data is deleted immediately after it's
restored on a computer, or after a specific number of days after the user data is restored on a computer.
Whether the state migration point responds only to requests to restore user state data. When you enable
this option, you can't use the state migration point to store user state data.
For the steps to install a site system role, see Add site system roles.
 Prepare for OS deployment in Configuration
Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

There are several things you must do in Configuration Manager before you can deploy operating systems. Use the
following articles to prepare for OS deployment:
Manage boot images
Manage OS images
Manage OS upgrade packages
Manage drivers
Manage user state
Prepare for unknown computer deployments
Associate users with a destination computer
OS image size
OS images are large in size. For example, the image size for Windows 7 is 3 GB or more. The size of the image and
the number of computers to which you simultaneously deploy the OS affects the network performance and
available bandwidth. Make sure to test the network performance. Testing the impact better gauges the effect the
image deployment might have and the time it takes to complete the deployment. Configuration Manager activities
that affect network performance include distributing the image to a distribution point, distributing the image from
one site to another, and downloading the image to the client.
Also make sure that you plan for sufficient disk storage space on the distribution points that host the OS images.
For more information, see Additional planning considerations for distribution points.
Client cache size
When Configuration Manager clients download content, they automatically use Background Intelligent Transfer
Service (BITS), if it's available. When you deploy a task sequence that installs an OS, you can set an option on the
deployment so that Configuration Manager clients download the full image to a local cache before the task
sequence runs.
When a Configuration Manager client must download an OS image, but there isn't enough space in the cache, the
client can clear space in its cache. It checks the other packages in the cache to determine whether deleting any of
the oldest packages will free enough disk space to accommodate the image. If deleting packages doesn't free
enough space, the client doesn't download the image, and the deployment fails. This behavior might occur if the
cache has a large package that you configure to persist in the cache. If deleting packages does free enough disk
space in the cache, the client deletes them, and then downloads the image into the cache.
The default cache size on Configuration Manager clients might not be large enough for most OS image
deployments. If you plan to download the full image to the client cache, adjust the client cache size on the
destination computers to accommodate the size of the image that you're deploying.
For more information, see Configure the client cache.
 Manage boot images with Configuration Manager
9/4/2020 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

A boot image in Configuration Manager is a Windows PE (WinPE) image that's used during an OS deployment.
Boot images are used to start a computer in WinPE. This minimal OS contains limited components and services.
Configuration Manager uses WinPE to prepare the destination computer for Windows installation.

Default boot images

Configuration Manager provides two default boot images: One to support x86 platforms and one to support x64
platforms. These images are stored in the x64 or i386 folders in the following share on the site server:
\\<SiteServerName>\SMS_<sitecode>\osd\boot\ . The default boot images are updated or regenerated depending
on the action that you take.
Consider the following behaviors for any of the actions described for default boot images:
The source driver objects must be valid. These objects include the driver source files. If the objects aren't
valid, the site doesn't add the drivers to the boot images.
Boot images that aren't based on the default boot images, even if they use the same Windows PE version,
aren't modified.
Redistribute the modified boot images to distribution points.
Recreate any media that uses the modified boot images.
If you don't want your customized/default boot images automatically updated, don't store them in the
default location.

NOTE
The Configuration Manager log tool (CMTrace ) is added to all boot images in the Software Librar y . When you're in
Windows PE, start the tool by typing cmtrace from the command prompt.
CMTrace is the default viewer for log files in Windows PE.

Use updates and servicing to install the latest version of Configuration Manager
When you upgrade the Windows Assessment and Deployment Kit (ADK) version, and then use updates and
servicing to install the latest version of Configuration Manager, the site regenerates the default boot images. This
update includes the new WinPE version from the updated Windows ADK, the new version of the Configuration
Manager client, drivers, and customizations. The site doesn't modify custom boot images.
Upgrade from Configuration Manager 2012 to current branch
When you upgrade Configuration Manager 2012 to current branch, the site regenerates the default boot images.
This update includes the new WinPE version from the updated Windows ADK and the new version of the
Configuration Manager client. All boot image customizations remain unchanged. The site doesn't modify custom
boot images.
Update distribution points with the boot image
When you use the Update Distribution Points action from the Boot Images node in the console, the site
updates the target boot image with the client components, drivers, and customizations.
You can reload the boot image with the latest version of WinPE from the Windows ADK installation directory. The
General page of the Update Distribution Points wizard provides the following information:
The current Windows ADK version installed on the site server
The current production client version
The Windows ADK version of WinPE in the boot image
The version of the Configuration Manager client in the boot image
If the versions in the boot image are out of date, use the option to Reload this boot image with the current
Windows PE version from the Windows ADK .

IMPORTANT
This action is available for both default and custom boot images. During this process to reload the boot image, the site
doesn't retain any manual customizations made outside of Configuration Manager. These customizations include third-
party extensions. This option rebuilds the boot image using the latest version of WinPE and the latest client version. Only
the configurations that you specify on the properties of the boot image are reapplied.

The Boot Images node also includes a new column for (Client Version ). Use this column to quickly view the
Configuration Manager client version in each boot image.

Customize a boot image

When a boot image is based on the WinPE version from the supported version of the Windows ADK, you can
customize or modify a boot image from the console. When you upgrade a site and install a new version of the
Windows ADK, custom boot images aren't updated with the new version of Windows ADK. When that happens,
you can't customize the boot images in the Configuration Manager console. However, they continue to work as
they did before the upgrade.
When a boot image is based on a different version of the Windows ADK installed on a site, you must customize
the boot images. Use another method to customize these boot images, such as using the Deployment Image
Servicing and Management (DISM) command-line tool. DISM is part of the Windows ADK. For more information,
see Customize boot images.

Add a boot image

During site installation, Configuration Manager automatically adds boot images that are based on a WinPE
version from the supported version of the Windows ADK. Depending on the version of Configuration Manager,
you can add boot images based on a different WinPE version from the supported version the Windows ADK. An
error occurs when you try to add a boot image that contains an unsupported version of WinPE. The following list
is the currently supported Windows ADK and WinPE versions:
Windows ADK version: Windows ADK for Windows 10
Windows PE versions for boot images customizable from the Configuration Manager console: Windows
PE 10
Supported Windows PE versions for boot images not customizable from the Configuration Manager
console
Windows PE 3.1Note 1
Windows PE 5
For example, use the Configuration Manager console to customize boot images based on Windows PE 10 from
the Windows ADK for Windows 10. For a boot image based on Windows PE 5, customize it from a different
computer using the version of DISM from the Windows ADK for Windows 8. Then add the custom boot image to
the Configuration Manager console. For more information, see the following articles:
Customize boot images
Support for Windows 10 ADK
DISM supported platforms

NOTE
Note 1: Suppor t for Windows PE 3.1
Only add a boot image to Configuration Manager based on Windows PE version 3.1. Upgrade the Windows AIK for
Windows 7 (based on Windows PE 3.0) with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1).
Download the Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center.

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Boot Images node.
2. On the Home tab of the ribbon, in the Create group, select Add Boot Image . This action starts the Add
Boot Image Wizard.
3. On the Data Source page, specify the following options:
In the Path box, specify the path to the boot image WIM file. The specified path must be a valid
network path in the UNC format. For example: \\ServerName\ShareName\BootImageName.wim
Select the boot image from the Boot Image drop-down list. If the WIM file contains multiple boot
images, select the appropriate image.
4. On the General page, specify the following options:
In the Name box, specify a unique name for the boot image.
In the Version box, specify a version number for the boot image.
In the Comment box, specify a brief description of how you use the boot image.
5. Complete the wizard.
The boot image is now listed in the Boot Image node. Before using the boot image to deploy an OS, distribute
the boot image to distribution points.

TIP
In the Boot Image node of the console, the Size (KB) column displays the decompressed size for each boot image. When
the site sends a boot image over the network, it sends a compressed copy. This copy is typically smaller than the size listed
in the Size (KB) column.

Distribute boot images

Boot images are distributed to distribution points in the same way as you distribute other content. Before you
deploy an OS or create media, distribute the boot image to at least one distribution point.
For more information on how to distribute a boot image, see Distribute content.
To use PXE to deploy an OS, consider the following points before you distribute the boot image:
 Configure the distribution point to accept PXE requests.
Distribute both an x86 and an x64 PXE-enabled boot image to at least one PXE-enabled distribution point.
Configuration Manager distributes the boot images to the RemoteInstall folder on the PXE-enabled
distribution point.
For more information about using PXE to deploy operating systems, see Use PXE to deploy Windows over the
network.

Modify a boot image

Add or remove device drivers to the image, or edit the properties of the boot image. The drivers that you add or
remove can include network or storage drivers. Consider the following factors when you modify boot images:
Before adding drivers to the boot image, import and enable them in the device driver catalog.
When you modify a boot image, the boot image doesn't change any of the associated packages that the
boot image references.
After you make changes to a boot image, update the boot image on the distribution points that already
have it. This process makes the most current version of the boot image available to clients. For more
information, see Manage content you've distributed.
Modify the properties of a boot image
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Boot Images node.
2. Select the boot image that you want to modify.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Set any of the following settings to change the behavior of the boot image:
Images
On the Images tab, if you change the properties of the boot image by using an external tool, select Reload .
Drivers
On the Drivers tab, add the Windows device drivers that WinPE requires to boot. Consider the following points
when you add device drivers:
Make sure that the drivers that you add to the boot image match the architecture of the boot image.
To only display drivers for the architecture of the boot image, select Hide drivers that do not match
the architecture of the boot image . The architecture of the driver is based on the architecture
reported in the INF from the manufacturer.
WinPE already comes with many drivers built-in. Add only network and storage drivers that aren't
included in WinPE.
Add only network and storage drivers to the boot image, unless there are requirements for other drivers
in WinPE.
To only display storage and network drivers, select Hide drivers that are not in a storage or network
class (for boot images) . This option also hides other drivers that aren't typically needed for boot
images, such as video or modem drivers.
To hide drivers that don't have a valid digital signature, select Hide drivers that are not digitally
signed .
 NOTE
Import device drivers into the drivers catalog before you add them to a boot image. For information about how to import
device drivers, see Manage drivers.

Customization
On the Customization tab, select any of the following settings:
Select the Enable Prestar t Commands option to specify a command to run before the task sequence
runs. When you enable this option, also specify the command line to run and any support files required by
the command.

WARNING
Add cmd /c to the start of the command line. If you don't specify cmd /c , the command won't close after it
runs. The deployment continues to wait for the command to finish and won't start any other configured
commands or actions.

TIP
During task sequence media creation, the wizard writes the package ID and prestart command line to the
CreateTSMedia.log file. This information includes the value for any task sequence variables. This log is on the
computer that runs the Configuration Manager console. Review this log file to verify the values for the task
sequence variables.

Set the Windows PE Background settings to specify whether you want to use the default WinPE
background or a custom background.
Configure the Windows PE scratch space (MB) , which is temporary storage (RAM drive) used by
WinPE. For example, when an application is run within WinPE and needs to write temporary files, WinPE
redirects the files to the scratch space in memory to simulate the presence of a hard disk. By default, this
amount is 512 MB for devices with more than 1 GB of RAM, otherwise the default is 32 MB.
Select Enable command suppor t (testing only) to open a command prompt by using the F8 key
while the boot image is deployed. This option is useful for troubleshooting while you're testing your
deployment. Using this setting in a production deployment isn't advised because of security concerns.
Set default keyboard layout in WinPE : Starting in version 1910, configure the default keyboard layout
for a boot image. If you select a language other than en-us, Configuration Manager still includes en-us in
the available input locales. On the device, the initial keyboard layout is the selected locale, but the user can
switch the device to en-us if needed.

TIP
Use the Set-CMBootImage PowerShell cmdlet to configure these settings from a script.

Optional Components
On the Optional Components tab, specify the components that are added to Windows PE for use with
Configuration Manager. For more information about available optional components, see WinPE: Add packages
(Optional Components Reference).
The following components are required by Configuration Manager and always added to boot images:
Scripting (WinPE-Scripting)
 Startup (WinPE-SecureStartup)
Network (WinPE-WDS-Tools)
Scripting (WinPE-WMI)
The Components list shows additional items that are added to this boot image. To add more components, select
the gold asterisk. To remove a component, select it from the list, and then select the red X.
The following components are commonly used by customers:
Microsoft .NET (WinPE-NetFX): This component is a prerequisite for PowerShell. It's one of the larger optional
components.
Windows PowerShell (WinPE-PowerShell): This component requires .NET, and adds limited PowerShell
support. If you run custom PowerShell scripts during the WinPE phase of your task sequence, add this
component. There are other components that may be required for other PowerShell cmdlets.
HTML (WinPE-HTA): If you run custom HTML applications during the WinPE phase of your task sequence, add
this component.
For more information about adding languages, see Configure multiple languages.
Data Source
On the Data Source tab, update any of the following settings:
To change the source file of the boot image, set Image path and Image index .
To create a schedule for when the site updates the boot image, select Update distribution points on a
schedule .
If you don't want the content of this package to age out of the client cache to make room for other
content, select Persist content in client cache .
To specify that the site only distributes changed files when it updates the boot image package on the
distribution point, select Enable binar y differential replication (BDR). This setting minimizes the
network traffic between sites. BDR is especially useful when the boot image package is large and the
changes are relatively small.
If you use the boot image in a PXE-enabled deployment, select Deploy this boot image from the PXE-
enabled distribution point . For more information, see Use PXE to deploy Windows over the network.
Data Access
On the Data Access tab, you can configure package share settings. If needed in your environment, set the
option to Copy the content in this package to a package share on distribution points . You then have
the additional option to Use a custom name for the package share and specify the custom Share name .
Additional disk space is required on distribution points when you enable this option. It applies to all distribution
points that receive this boot image.
Distribution Settings
On the Distribution Settings tab, select any of the following settings:
In the Distribution priority list, specify the priority level. Configuration Manager uses this priority list
when the site distributes multiple packages to the same distribution point.
If you want to enable on-demand content distribution to preferred distribution points, select Enable for
on-demand distribution . When you enable this setting, if a client requests the content for the package
and the content isn't available on any distribution points, then the management point distributes the
content. For more information, see On-demand content distribution.
To specify how you want the site to distribute the boot image to distribution points that are enabled for
prestaged content, set the Prestaged distribution point settings . For more information about
 prestaged content, see Prestage content.
Content Locations
On the Content Locations tab, select the distribution point or distribution point group, and use the following
actions:
Validate : Check the integrity of the boot image package on the selected distribution point or distribution
point group.
Redistribute : Distribute the boot image to the selected distribution point or distribution point group
again.
Remove : Delete the boot image from the selected distribution point or distribution point group.
Security
On the Security tab, view the administrative users that have permissions to this object.

Configure a boot image for PXE

Before you can use a boot image for a PXE-based deployment, configure the boot image to deploy from a PXE-
enabled distribution point.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Boot Images node.
2. Select the boot image that you want to modify.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. On the Data Source tab, select Deploy this boot image from the PXE-enabled distribution point .
For more information, see Use PXE to deploy Windows over the network.

Configure multiple languages

TIP
Starting in version 1910, configure the default keyboard layout on the properties of a boot image. For more information,
see Customization.

Boot images are language neutral. This functionality allows you to use one boot image to display the task
sequence text in multiple languages while in WinPE. Include the appropriate language support from the boot
image Optional Components tab. Then set the appropriate task sequence variable to indicate which language
to display. The language of the deployed OS is independent from the language in WinPE. The language that
WinPE displays to the user is determined as follows:
When a user runs the task sequence from an existing OS, Configuration Manager automatically uses the
language configured for the user. When the task sequence automatically runs as the result of a mandatory
deployment deadline, Configuration Manager uses the language of the OS.
For OS deployments that use PXE or media, set the language ID value in the SMSTSLanguageFolder
variable as part of a prestart command. When the computer boots to WinPE, messages are displayed in
the language that you specified in the variable. If there's an error accessing the language resource file in
the specified folder, or you don't set the variable, WinPE displays messages in the default language.
 NOTE
When you protect media with a password, the text that prompts the user for the password is always displayed in
the WinPE language.

Use the following procedure to set the WinPE language for PXE or media-initiated OS deployments.
Set the Windows PE language for a PXE or media-initiated OS deployment
1. Before you update the boot image, verify that the appropriate task sequence resource file (tsres.dll) is in
the corresponding language folder on the site server. For example, the English resource file is in the
following location: <ConfigMgrInstallationFolder>\OSD\bin\x64\00000409\tsres.dll
2. As part of your prestart command, set the SMSTSLanguageFolder environment variable to the
appropriate language ID. The language ID must be specified by using decimal and not hexadecimal format.
For example, to set the language ID to English, specify the decimal value 1033 , not the hexadecimal value
00000409 of the folder name.
 Customize boot images with Configuration Manager
9/4/2020 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Each version of Configuration Manager supports a specific version of the Windows Assessment and Deployment
Kit (Windows ADK). You can service, or customize, boot images from the Configuration Manager console when
they are based on a Windows PE version from the supported version of Windows ADK. For other boot images,
you must customize them by using another method, such as using the Deployment Image Servicing and
Management (DISM) command-line tool that is part of the Windows AIK and Windows ADK.
The following provides the supported version of Windows ADK, the Windows PE version on which the boot image
is based that can be customized from the Configuration Manager console, and the Windows PE versions on which
the boot image is based that you can customize by using DISM and then add the image to Configuration Manager.
Windows ADK version
Windows ADK for Windows 10
Windows PE versions for boot images customizable from the Configuration Manager console
Windows PE 10
Suppor ted Windows PE versions for boot images not customizable from the Configuration
Manager console
Windows PE 3.11 and Windows PE 5
1 You can only add a boot image to Configuration Manager
when it is based on Windows PE 3.1. Install the
Windows AIK Supplement for Windows 7 SP1 to upgrade Windows AIK for Windows 7 (based on
Windows PE 3) with the Windows AIK Supplement for Windows 7 SP1 (based on Windows PE 3.1). You can
download Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center.
For example, when you have Configuration Manager, you can customize boot images from Windows ADK
for Windows 10 (based on Windows PE 10) from the Configuration Manager console. However, while boot
images based on Windows PE 5 are supported, you must customize them from a different computer and
use the version of DISM that is installed with Windows ADK for Windows 8. Then, you can add the boot
image to the Configuration Manager console.
The procedures in this topic demonstrate how to add the optional components required by Configuration
Manager to the boot image by using the following Windows PE packages:
WinPE-WMI : Adds Windows Management Instrumentation (WMI) support.
WinPE-Scripting : Adds Windows Script Host (WSH) support.
WinPE-WDS-Tools : Installs Windows Deployment Services tools.
There are other Windows PE packages available for you to add. For more information about the optional
components that you can add to the boot image, see WinPE: Add packages (Optional Components
Reference).
 NOTE
When you boot to WinPE from a customized boot image that includes tools that you added, you can open a command
prompt from WinPE and type the file name of the tool to run it. The location of these tools are automatically added to the
path variable. The command prompt can only be added if the Enable command suppor t (testing only) setting is
selected on the Customization tab in the boot image properties.

Customize a boot image that uses Windows PE 5

To customize a boot image that uses Windows PE 5, you must install Windows ADK and use the DISM command-
line tool to mount the boot image, add optional components and drivers, and commit the changes to the boot
image. Use the following procedure to customize the boot image.
To customize a boot image that uses Windows PE 5
1. Install the Windows ADK on a computer that does not have another version of Windows AIK or Windows
ADK, and does not have any Configuration Manager components installed.
2. Download Windows ADK for Windows 8.1 from the Microsoft Download Center.
3. Copy the boot image (wimpe.wim) from the Windows ADK installation folder (for example, <Installation
path>\Windows Kits\<version>\Assessment and Deployment Kit\Windows Preinstallation Environment\
<x86 or amd64>\<locale>) to a destination folder on the computer from which you will customize the
boot image. This procedure uses C:\WinPEWAIK as the destination folder name.
4. Use DISM to mount the boot image to a local Windows PE folder. For example, type the following
command-line:
dism.exe /mount-wim /wimfile:C:\WinPEWAIK\winpe.wim /index:1 /mountdir :C:\WinPEMount
Where C:\WinPEWAIK is the folder that contains the boot image and C:\WinPEMount is the mounted folder.

NOTE
For more information, see the DISM (Deployment Image Servicing and Management) Reference.

5. After you mount the boot image, use DISM to add optional components to the boot image. In Windows PE
5, the 64-bit optional components are located in <Installation path>\Windows Kits\8.1\Assessment and
Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs.

NOTE
This procedure uses the following location for the optional components: C:\Program Files (x86)\Windows
Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs. The path you
use might be different depending on the version and installation options you choose for the Windows ADK.

Type the following to install the optional components:

dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\winpe-wmi.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\winpe-scripting.cab"
 dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\winpe-wds-tools.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\WinPE-SecureStar tup.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\ <locale> \WinPE-SecureStar tup_ <locale> .cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\ <locale> \WinPE-WMI_ <locale> .cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\ <locale> \WinPE-Scripting <locale> .cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\ <locale> \WinPE-WDS-Tools_ <locale> .cab"
Where C:\WinPEMount is the mounted folder and locale is the locale for the components. For example, for
the en-us locale, you would type:
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\en-us\WinPE-SecureStar tup_en-us.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\en-us\WinPE-WMI_en-us.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\en-us\WinPE-Scripting_en-us.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files
(x86)\Windows Kits\8.1\Assessment and Deployment Kit\Windows Preinstallation
Environment\amd64\WinPE_OCs\en-us\WinPE-WDS-Tools_en-us.cab"

TIP
For more information about the optional components that you can add to the boot image, see the Windows PE
Optional Components Reference.

6. Use DISM to add specific drivers to the boot image, when required. Type the following to add drivers to the
boot image:
dism.exe /image:C:\WinPEMount /add-driver /driver :< path to driver .inf file >
Where C:\WinPEMount is the mounted folder.
7. Type the following to unmount the boot image file and commit the changes.
dism.exe /unmount-wim /mountdir :C:\WinPEMount /commit
 Where C:\WinPEMount is the mounted folder.
8. Add the updated boot image to Configuration Manager to make it available to use in your task sequences.
Use the following steps to import the updated boot image:
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
c. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard.
d. On the Data Source page, specify the following options, and then click Next .
In the Path box, specify the path to the updated boot image file. The specified path must be a
valid network path in the UNC format. For example: \\< servername>\< WinPEWAIK
share>\winpe.wim .
Select the boot image from the Boot Image drop-down list. If the WIM file contains multiple
boot images, each image is listed.
e. On the General page, specify the following options, and then click Next .
In the Name box, specify a unique name for the boot image.
In the Version box, specify a version number for the boot image.
In the Comment box, specify a brief description of how the boot image is used.
f. Complete the wizard.
9. You can enable a command shell in the boot image to debug and troubleshoot it in Windows PE. Use the
following steps to enable the command shell.
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
c. Find the new boot image in the list and identify the package ID for the image. You can find the
package ID in the Image ID column for the boot image.
d. From a command prompt, type wbemtest to open the Windows Management Instrumentation
Tester.
e. Type \\< SMS Provider Computer>\root\sms\site_< sitecode> in Namespace , and then click
Connect .
f. Click Open Instance , type sms_bootimagepackage.packageID="<packageID>" , and then
click OK . For packageID, enter the value that you identified in step 3.
g. Click Refresh Object , and then click EnableLabShell in the Proper ties pane.
h. Click Edit Proper ty , change the value to TRUE , and click Save Proper ty .
i. Click Save Object , and then exit the Windows Management Instrumentation Tester.
10. You must distribute the boot image to distribution points, distribution point groups, or to collections that
are associated with distribution point groups before you can use the boot image in a task sequence. Use
the following steps to distribute the boot image.
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
 c. Click the boot image identified in step 3.
d. On the Home tab, in the Deployment group, click Update Distribution Points .

Customize a boot image that uses Windows PE 3.1

To customize a boot image that uses WinPE 3.1, you must install Windows AIK, install the Windows AIK
supplement for Windows 7 SP1, and use the DISM command-line tool to mount the boot image, add optional
components and drivers, and commit the changes to the boot image. Use the following procedure to customize
the boot image.
To customize a boot image that uses Windows PE 3.1
1. Install the Windows AIK on a computer that does not have another version of Windows AIK or Windows
ADK, and does not have any Configuration Manager components installed. Download Windows AIK from
the Microsoft Download Center.
2. Install the Windows AIK Supplement for Windows 7 with SP1 on the computer from step 1. Download
Windows AIK Supplement for Windows 7 SP1 from the Microsoft Download Center.
3. Copy the boot image (wimpe.wim) from the Windows AIK installation folder (for example,
<InstallationPath>\Windows AIK\Tools\PETools\amd64\) to a folder on the computer from which you will
customize the boot image. This procedure uses C:\WinPEWAIK as the folder name.
4. Use DISM to mount the boot image to a local Windows PE folder. For example, type the following
command-line:
dism.exe /mount-wim /wimfile:C:\WinPEWAIK\winpe.wim /index:1 /mountdir :C:\WinPEMount
Where C:\WinPEWAIK is the folder that contains the boot image and C:\WinPEMount is the mounted folder.

NOTE
For more information, see the DISM (Deployment Image Servicing and Management) Reference.

5. After you mount the boot image, use DISM to add optional components to the boot image. In Windows PE
3.1, for example, the optional components are located in <InstallationPath>\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\.

NOTE
This procedure uses the following location for the optional components: C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs. The path you use might be different depending on the version and
installation options you choose for the Windows AIK.

Type the following to install the optional components:

dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\winpe-wmi.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\winpe-scripting.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\winpe-wds-tools.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\ <locale> \winpe-wmi_ <locale> .cab"
 dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\ <locale> \winpe-scripting_ <locale> .cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\ <locale> \winpe-wds-tools_ <locale> .cab"
Where C:\WinPEMount is the mounted folder and locale is the locale for the components. For example, for
the en-us locale, you would type:
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-wmi_en-us.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-scripting_en-us.cab"
dism.exe /image:C:\WinPEMount /add-package /packagepath:"C:\Program Files\Windows
AIK\Tools\PETools\amd64\WinPE_FPs\en-us\winpe-wds-tools_en-us.cab"

TIP
For more information about the different packages that you can add to the boot image, see Add a Package to a
Windows PE Image.

6. Use DISM to add specific drivers to the boot image, when required. Type the following to add drivers to the
boot image, if required:
dism.exe /image:C:\WinPEMount /add-driver /driver :< path to driver .inf file >
Where C:\WinPEMount is the mounted folder.
7. Type the following to unmount the boot image file and commit the changes.
dism.exe /unmount-wim /mountdir :C:\WinPEMount /commit
Where C:\WinPEMount is the mounted folder.
8. Add the updated boot image to Configuration Manager to make it available to use in your task sequences.
Use the following steps to import the updated boot image:
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
c. On the Home tab, in the Create group, click Add Boot Image to start the Add Boot Image Wizard.
d. On the Data Source page, specify the following options, and then click Next .
In the Path box, specify the path to the updated boot image file. The specified path must be a
valid network path in the UNC format. For example: \\< servername>\< WinPEWAIK
share>\winpe.wim .
Select the boot image from the Boot Image drop-down list. If the WIM file contains multiple
boot images, each image is listed.
e. On the General page, specify the following options, and then click Next .
In the Name box, specify a unique name for the boot image.
In the Version box, specify a version number for the boot image.
In the Comment box, specify a brief description of how the boot image is used.
 f. Complete the wizard.
9. You can enable a command shell in the boot image to debug and troubleshoot it in Windows PE. Use the
following steps to enable the command shell.
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
c. Find the new boot image in the list and identify the package ID for the image. You can find the
package ID in the Image ID column for the boot image.
d. From a command prompt, type wbemtest to open the Windows Management Instrumentation
Tester.
e. Type \\< SMS Provider Computer>\root\sms\site_< sitecode> in Namespace , and then click
Connect .
f. Click Open Instance , type sms_bootimagepackage.packageID="<packageID>" , and then
click OK . For packageID, enter the value that you identified in step 3.
g. Click Refresh Object , and then click EnableLabShell in the Proper ties pane.
h. Click Edit Proper ty , change the value to TRUE , and click Save Proper ty .
i. Click Save Object , and then exit the Windows Management Instrumentation Tester.
10. You must distribute the boot image to distribution points, distribution point groups, or to collections that
are associated with distribution point groups before you can use the boot image in a task sequence. Use
the following steps to distribute the boot image.
a. In the Configuration Manager console, click Software Librar y .
b. In the Software Librar y workspace, expand Operating Systems , and then click Boot Images .
c. Click the boot image identified in step 3.
d. On the Home tab, in the Deployment group, click Update Distribution Points .
 Manage OS images with Configuration Manager
9/4/2020 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

OS images in Configuration Manager are stored in the Windows image (WIM) file format. These images are a
compressed collection of reference files and folders use to install and configure a new OS on a computer. Many
OS deployment scenarios require an OS image.

OS image types
You can use a default OS image, or build the OS image from a reference computer that you configure. When you
build the reference computer, you add OS files, drivers, support files, software updates, tools, and applications to
the OS. Then you capture it to create the image file.
Default image
The Windows installation files include the default OS image. This image is a basic OS image that contains a
standard set of drivers. When you use the default OS image, use task sequence steps to install apps and make
other configurations after the OS installs on a device. Locate the default OS image in the Windows source files:
\Sources\install.wim .

Default image advantages

The image size is smaller than a captured image.
Installing apps and configurations with task sequence steps is more dynamic. For example, change the
configurations and apps that install in the task sequence, without having to reimage the device.
Default image disadvantages
OS installation can take more time. The application installation and other configurations occur after the OS
installation completes.
Captured image from a reference computer
To create a customized OS image, build a reference computer with the desired OS. Then install applications and
configure settings. Capture the OS image from the reference computer to create the WIM file. Manually build the
reference computer, or use a task sequence to automate some or all of the build steps. For more information, see
Customize OS images.
Captured image advantages
The installation can be faster than using the default image. For example, applications can be preinstalled with
the captured OS image. Then you don't need to install those same applications later by using task sequence
steps.
Captured image disadvantages
The image size is potentially larger than the default image.
Need to create a new image when you require updates for applications and tools.

Add an OS image
Before you can use an OS image, add it to your Configuration Manager site.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Operating System Images node.
2. On the Home tab of the ribbon, in the Create group, select Add Operating System Image . This action
starts the Add Operating System Image Wizard.
3. On the Data Source page, specify the following information:
Network Path to the OS image file. For example, \\server\share\path\image.wim .
Extract a specific image index from the specified WIM file and then select an image index
from the list. Starting in version 1902, this option automatically imports a single index rather than
all image indexes in the file. Using this option results in a smaller image file, and faster offline
servicing. It also supports the process to Optimize image servicing, for a smaller image file after
applying software updates.

NOTE
Configuration Manager doesn't modify the source image file. It creates a new image file in the same source
directory.
This extraction process can fail for extremely large image files, for example over 60 GB. The DISM error is
Not enough storage is available to process this command. The command line that Configuration
Manager uses is in the smsprov.log and dism.log. Manually run the same command and then import the
image.

Starting in version 1906, if you want to pre-cache content on a client, specify the Architecture and
Language of the image. For more information, see Configure pre-cache content.
4. On the General page, specify the following information. This information is useful for identification
purposes when you have more than one OS image.
Name : A unique name for the image. By default, the name comes from the WIM file name.
Version : An optional version identifier. This property doesn't need to be the OS version of the
image. It's often your organization's version for the package.
Comment : An optional brief description.
5. Complete the wizard.
For the PowerShell cmdlet equivalent of this console wizard, see New-CMOperatingSystemImage.
Next, distribute the OS image to distribution points.

Distribute content to distribution points

Distribute OS images to distribution points the same as other content. Before you deploy the task sequence,
distribute the OS image to at least one distribution point. For more information, see Distribute content.

Apply software updates to an image

NOTE
This section applies to both OS images and OS upgrade packages . It uses the general term "image" to refer to the
Windows image file (WIM). Both of these objects have a WIM, which contains Windows installation files. Software updates
are applicable to these files in both objects. The behavior of this process is the same between both objects.

Each month there are new software updates applicable to the image. Before you can apply software updates to it,
you need the following prerequisites:
 A software updates infrastructure
Successfully synchronized software updates
Downloaded the software updates to the content library on the site server
For more information, see Deploy software updates.
Apply applicable software updates to an image on a specified schedule. This process is sometimes called offline
servicing. On this schedule, Configuration Manager applies the selected software updates to the image. It can
then also redistribute the updated image to distribution points.

IMPORTANT
While you can select any software update that's applicable to the image based on version, DISM can only apply certain
types of updates to the image. The OfflineSer vicingMgr.log file shows the following entry:
Not applying this update binary, it is not supported .

The site database stores information about the image, including the software updates that were applied at the
time of the import. Software updates that you apply to the image since it was initially added are also stored in
the site database. When you start the wizard to apply software updates, it retrieves the list of applicable software
updates that the site hasn't yet applied to the image. Configuration Manager copies the software updates that
you select from the content library on the site server. It then applies the software updates to the image.
Servicing process
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select either Operating System Images or Operating System Upgrade
Packages .
2. Select the object to which to apply software updates.
3. On the ribbon, select Schedule Updates to start the wizard.
4. On the Choose Updates page, select the software updates to apply to the image. It may take some time
for the list of updates to appear in the wizard. Use the Filter to search for strings in the metadata. Use the
System architecture drop-down list to filter on X86 , X64 , or All . You can select one, many, or all
updates in the list. When you're finished selecting updates, select Next .
5. On the Set Schedule page, specify the following settings, and then click Next .
a. Schedule : Specify the schedule for when the site applies the software updates to the image.
b. Continue on error : Select this option to continue to apply software updates to the image even
when there's an error.
c. Update distribution points with the image : Select this option to update the image on
distribution points after the site applies the software updates.
6. Complete the Schedule Updates Wizard.

NOTE
To minimize the payload size, the servicing of OS upgrade packages and OS images removes the older version.

Servicing operations
In the Configuration Manager console, in either the OS Images or OS Upgrade Packages node, add the
following columns to the view:
 Scheduled Updates Date : This property shows the next schedule that you've defined.
Scheduled Updates Status : This property shows the status. For example, Successful or In Process .
Select a specific image object, and then switch to the Update Status tab in the details pane. This tab shows the
list of updates in the image.
Select a specific image object, and select Proper ties in the ribbon. The Installed Updates tab shows the list of
updates in the image. The Ser vicing tab is a read-only view of the current servicing schedule and the updates
that you've scheduled to apply.
When the status is In Process , you can select Cancel Scheduled Updates on the ribbon. This action cancels
the active servicing process.
To troubleshoot this process, view the OfflineSer vicingMgr.log and dism.log files on the site server. For more
information, see Log files.
Specify the drive for offline OS image servicing
Starting in version 1810, specify the drive that Configuration Manager uses during offline servicing of OS
images. This process can consume a large amount of disk space with temporary files. This option gives you
flexibility to select the drive to use.
1. In the Configuration Manager console, go to the Administration workspace, expand Site
Configuration , and select the Sites node. In the ribbon, click Configure Site Components and select
Operating System Deployment .
2. On the Offline Ser vicing tab, specify the option for A local drive to be used by offline ser vicing of
images .
By default, this setting is Automatic . With this value, Configuration Manager selects the drive on which it's
installed.
If you select a drive that doesn't exist on the site server, Configuration Manager behaves the same as if you select
Automatic .
During offline servicing, Configuration Manager stores temporary files in the folder,
<drive>:\ConfigMgr_OfflineImageServicing . It also mounts the OS image in this folder.

Optimized image servicing

Starting in version 1902, when you apply software updates to an OS image, there's a new option to optimize the
output by removing any superseded updates. The optimization to offline servicing only applies to images with a
single index.
When you schedule the site to apply software updates to an OS image, it uses the Windows Deployment Image
Servicing and Management (DISM) command-line tool. During the servicing process, this change introduces the
following two additional steps:
It runs DISM against the mounted offline image with the parameters
/Cleanup-Image /StartComponentCleanup /ResetBase . If this command fails, the current servicing process
fails. It doesn't commit any changes to the image.
After Configuration Manager commits changes to the image and unmounts it from the file system, it
exports the image to another file. This step uses the DISM parameter /Export-Image . It removes unneeded
files from the image, which reduces the size.
Microsoft recommends that you regularly apply updates to your offline images. You don't have to use this option
every time you service an image. When you do this process each month, this new option provides you the
greatest advantage by using it over time. For more information, see Recommendations for Install Software
Updates step.
While this option helps reduce the overall size of the serviced image, it does take longer to complete the process.
Use the wizard to schedule servicing during convenient times. It also requires additional storage on the site
server. You can customize the site to use an alternate location. For more information, see Specify the drive for
offline OS image servicing.
Process to optimize image servicing
1. Start the servicing process.
2. On the Set Schedule page, select the option to Remove superseded updates after the image is
updated . This option isn't automatically enabled. If the image has more than one index, you can't use this
option.
3. To schedule image servicing, complete the wizard.
Validate and monitor the process using the OfflineSer vicing.log .

Prepare the OS image for multicast deployments

Use multicast deployments to allow more than one computer to simultaneously download an OS image. The
image is multicast to clients by the distribution point, rather than each client downloading a copy of the image
from the distribution point over a separate connection. When you choose the OS deployment method to Use
multicast to deploy Windows over the network, configure the OS image to support multicast. Then distribute the
image to a multicast-enabled distribution point.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Operating System Images node.
2. Select the OS image that you want to distribute to a multicast-enabled distribution point.
3. On the Home tab of the ribbon, in the Proper ties group, select Proper ties .
4. Switch to the Distribution Settings tab, and configure the following options:
Allow this package to be transferred via multicast (WinPE only) : Select this option for
Configuration Manager to simultaneously deploy OS images using multicast.
Encr ypt multicast packages : Specify whether the site encrypts the image before it's sent to the
distribution point. If the image contains sensitive information, use this option. If the image isn't
encrypted, its contents are visible in clear text on the network. Then an unauthorized user could
intercept and view the image contents.
Transfer this package only via multicast : Specify whether you want the distribution point to
deploy the image only during a multicast session.
If you select Transfer this package only via multicast , you must also specify the task sequence
deployment option to Download content locally when needed by the running task
sequence . For more information, see Deploy a task sequence.
5. Select OK to save the settings and close the image properties.
 Customize operating system images with
Configuration Manager
9/4/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Operating system images in Configuration Manager are WIM files and represent a compressed collection of
reference files and folders that are required to successfully install and configure an operating system on a
computer. A custom operating system image is built and captured from a reference computer that you configure
with all the required operating system files, support files, software updates, tools, and other software apps. The
extent to which you manually configure the reference computer is up to you. You can completely automate the
configuration of the reference computer by using a build and capture task sequence, you can manually configure
certain aspects of the reference computer and then automate the rest by using task sequences, or you can
manually configure the reference computer without using task sequences. Use the following sections to customize
an operating system.

Prepare for the reference computer

There are several things to think about before you use capture an operating system image from a reference
computer.
Decide between an automated or manual configuration
The following outlines advantages and disadvantage for an automated and manual configuration of the reference
computer.
Automated configuration
Advantages
The configuration can be completely unattended, which eliminates the requirement for an administrator or
user to be present.
You can reuse the task sequence to repeat the configuration of additional reference computers with a high
level of confidence.
You can modify the task sequence to accommodate differences in reference computers without having to
recreate the entire task sequence.
Disadvantages
The initial action to build a task sequence can take a long time to create and test.
If the reference computer requirements change significantly, it can take a long time to rebuild and retest the
task sequence.
Manual configuration
Advantages
You do not have to create a task sequence or take the time to test and troubleshoot the task sequence.
You can install directly from CDs without putting all the software packages (including Windows itself) into a
Configuration Manager package.
Disadvantages
 The accuracy of the reference computer configuration depends on the administrator or user who configures
the computer.
You must still verify and test that the reference computer is configured correctly.
You cannot reuse the configuration method.
Requires a person to be actively involved throughout the process.
Considerations for the reference computer
The following lists the basic items to consider when you configure a reference computer.
Operating system to deploy
The reference computer must be installed with the operating system that you intend to deploy to your
destination computers. For more information about the operating systems that you can deploy, see
Infrastructure requirements for operating system deployment.
Appropriate ser vice pack
The reference computer must be installed with the operating system that you intend to deploy to your
destination computers.
Appropriate software updates
Install all software applications that you want included in the operating system image that you capture from
the reference computer. You can also install software applications when you deploy the captured operating
system image to your destination computers.
Workgroup membership
The reference computer must be configured as a member of a workgroup.
Sysprep
The System Preparation (Sysprep) tool is a technology that you can use with other deployment tools to
install Windows operating systems onto new hardware. Sysprep prepares a computer for disk imaging or
delivery to a customer by configuring the computer to create a new computer security identifier (SID) when
the computer is restarted. In addition, Sysprep cleans up user and computer-specific settings and data that
must not be copied to a destination computer.
You can manually Sysprep the reference computer by running the following command:
Sysprep /quiet /generalize /reboot

The /generalize option instructs Sysprep to remove system-specific data from the Windows installation.
System-specific information includes event logs, unique security IDs (SIDs), and other unique information.
After the unique system information is removed, the computer restarts.
You can automate Sysprep by using the Prepare Windows for Capture task sequence step or capture media.

IMPORTANT
The Prepare Windows for Capture task sequence step attempts to reset the local administrator password on the
reference computer to a blank value before Sysprep runs. If the Local Security policy Password must meet
complexity requirements is enabled, this task sequence step fails to reset the administrator password. In this
scenario, disable this policy before you run the task sequence.

For more information about Sysprep, see Sysprep (System Preparation) overview.
 Appropriate tools and scripts required to mitigate installation scenarios
Appropriate tools and scripts required to mitigate installation scenarios
Appropriate desktop customization, such as wall paper, branding, and default user profile
You can configure the reference computer with the desktop customization properties that you want to
include when you capture the operating system image from the reference computer. Desktop properties
include wallpaper, organizational branding, and a standard default user profile.

Manually build a reference computer

Use the following procedure to manually build a reference computer.

NOTE
When you manually build the reference computer, you can capture the operating system image by using capture media. For
more information, see Create capture media.

To manually build the reference computer

1. Identify the computer to use as the reference computer.
2. Configure the reference computer with the appropriate operating system and any other software that is
required to create the operating system image that you want to deploy.

WARNING
At a minimum, install the appropriate operating system and service pack, support drivers, and required software
updates.

3. Configure the reference computer to be a member of a workgroup.

4. Reset the local Administrator password on the reference computer so that the password value is blank.
5. Run Sysprep by using the command: sysprep /quiet /generalize /reboot . The /generalize option
instructs Sysprep to remove system-specific data from the Windows installation. System-specific
information includes event logs, unique security IDs (SIDs), and other unique information. After the unique
system information is removed, the computer restarts.
After the reference computer is ready, use a task sequence to capture the operating system image from the
reference computer. For detailed steps, see Capture an operating system image from an existing reference
computer.

Use a task sequence to build a reference computer

You can automate the process to create a reference computer by using a task sequence to deploy the operating
system, drivers, applications, and so on. Use the following steps to build the reference computer and then to
capture the operating system image from the reference computer.
Use a task sequence to build and capture the operating system image from the reference computer. For detailed
steps, see Use a task sequence to build and capture a reference computer.
 Manage OS upgrade packages with Configuration
Manager
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

An OS upgrade package in Configuration Manager contains the Windows setup source files to upgrade an existing
OS on a computer. This article describes how to add, distribute, and service an OS upgrade package.

NOTE
OS upgrade packages can also be used for new installations of Windows. However it is dependent on drivers being
compatible with this method. When performing new installations of Windows from an OS upgrade package, drivers are
installed while still in Windows PE versus simply being injected while in Windows PE. Some drivers are not compatible with
being installed while in Windows PE. If drivers are not compatible with being installed while in Windows PE, then use an OS
image, such as install.wim , instead.

Add an OS upgrade package

Before you can use an OS upgrade package, first add it to your Configuration Manager site.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Operating System Upgrade Packages node.
2. On the Home tab of the ribbon, in the Create group, select Add Operating System Upgrade Package .
This action starts the Add Operating System Upgrade Wizard.
3. On the Data Source page, specify the following settings:
The network Path to the installation source files of the OS upgrade package. For example,
\\server\share\path .

NOTE
The installation source files contain setup.exe and other files and folders to install the OS.

IMPORTANT
Limit access to these installation source files to prevent unwanted tampering.

Extract a specific image index from install.wim file of selected upgrade package and then
select an image index from the list. Starting in version 1910, this option automatically imports a
single index rather than all image indexes in the file. Using this option results in a smaller image file,
and faster offline servicing. It also supports the process to Optimize image servicing, for a smaller
image file after applying software updates.
 IMPORTANT
Configuration Manager overwrites the existing install.wim in the OS upgrade package. It extracts the image
index to a temporary location, and then moves it into the original source directory. Before you import an OS
upgrade package and enable this option, make sure to backup the original source files.

If you want to pre-cache content on a client, specify the Architecture and Language of the image.
For more information, see Configure pre-cache content.
4. On the General page, specify the following information. This information is useful for identification
purposes when you have more than one OS upgrade package.
Name : A unique name for the OS upgrade package.
Version : An optional version identifier. This property doesn't need to be the OS version of the
upgrade package. It's often your organization's version for the package.
Comment : An optional brief description.
5. Complete the wizard.
Next, distribute the OS upgrade package to distribution points.

Distribute content to a distribution point

Distribute OS upgrade packages to distribution points the same as other content. Before you deploy the task
sequence, distribute the OS upgrade package to at least one distribution point. For more information, see
Distribute content.

Apply software updates to an image

NOTE
This section applies to both OS images and OS upgrade packages . It uses the general term "image" to refer to the
Windows image file (WIM). Both of these objects have a WIM, which contains Windows installation files. Software updates
are applicable to these files in both objects. The behavior of this process is the same between both objects.

Each month there are new software updates applicable to the image. Before you can apply software updates to it,
you need the following prerequisites:
A software updates infrastructure
Successfully synchronized software updates
Downloaded the software updates to the content library on the site server
For more information, see Deploy software updates.
Apply applicable software updates to an image on a specified schedule. This process is sometimes called offline
servicing. On this schedule, Configuration Manager applies the selected software updates to the image. It can then
also redistribute the updated image to distribution points.

IMPORTANT
While you can select any software update that's applicable to the image based on version, DISM can only apply certain
types of updates to the image. The OfflineSer vicingMgr.log file shows the following entry:
Not applying this update binary, it is not supported .
The site database stores information about the image, including the software updates that were applied at the
time of the import. Software updates that you apply to the image since it was initially added are also stored in the
site database. When you start the wizard to apply software updates, it retrieves the list of applicable software
updates that the site hasn't yet applied to the image. Configuration Manager copies the software updates that you
select from the content library on the site server. It then applies the software updates to the image.
Servicing process
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select either Operating System Images or Operating System Upgrade Packages .
2. Select the object to which to apply software updates.
3. On the ribbon, select Schedule Updates to start the wizard.
4. On the Choose Updates page, select the software updates to apply to the image. It may take some time
for the list of updates to appear in the wizard. Use the Filter to search for strings in the metadata. Use the
System architecture drop-down list to filter on X86 , X64 , or All . You can select one, many, or all updates
in the list. When you're finished selecting updates, select Next .
5. On the Set Schedule page, specify the following settings, and then click Next .
a. Schedule : Specify the schedule for when the site applies the software updates to the image.
b. Continue on error : Select this option to continue to apply software updates to the image even
when there's an error.
c. Update distribution points with the image : Select this option to update the image on
distribution points after the site applies the software updates.
6. Complete the Schedule Updates Wizard.

NOTE
To minimize the payload size, the servicing of OS upgrade packages and OS images removes the older version.

Servicing operations
In the Configuration Manager console, in either the OS Images or OS Upgrade Packages node, add the
following columns to the view:
Scheduled Updates Date : This property shows the next schedule that you've defined.
Scheduled Updates Status : This property shows the status. For example, Successful or In Process .
Select a specific image object, and then switch to the Update Status tab in the details pane. This tab shows the list
of updates in the image.
Select a specific image object, and select Proper ties in the ribbon. The Installed Updates tab shows the list of
updates in the image. The Ser vicing tab is a read-only view of the current servicing schedule and the updates
that you've scheduled to apply.
When the status is In Process , you can select Cancel Scheduled Updates on the ribbon. This action cancels the
active servicing process.
To troubleshoot this process, view the OfflineSer vicingMgr.log and dism.log files on the site server. For more
information, see Log files.
Specify the drive for offline OS image servicing
Starting in version 1810, specify the drive that Configuration Manager uses during offline servicing of OS images.
This process can consume a large amount of disk space with temporary files. This option gives you flexibility to
select the drive to use.
1. In the Configuration Manager console, go to the Administration workspace, expand Site Configuration ,
and select the Sites node. In the ribbon, click Configure Site Components and select Operating
System Deployment .
2. On the Offline Ser vicing tab, specify the option for A local drive to be used by offline ser vicing of
images .
By default, this setting is Automatic . With this value, Configuration Manager selects the drive on which it's
installed.
If you select a drive that doesn't exist on the site server, Configuration Manager behaves the same as if you select
Automatic .
During offline servicing, Configuration Manager stores temporary files in the folder,
<drive>:\ConfigMgr_OfflineImageServicing . It also mounts the OS image in this folder.

Optimized image servicing

Starting in version 1902, when you apply software updates to an OS image, there's a new option to optimize the
output by removing any superseded updates. The optimization to offline servicing only applies to images with a
single index.
When you schedule the site to apply software updates to an OS image, it uses the Windows Deployment Image
Servicing and Management (DISM) command-line tool. During the servicing process, this change introduces the
following two additional steps:
It runs DISM against the mounted offline image with the parameters
/Cleanup-Image /StartComponentCleanup /ResetBase . If this command fails, the current servicing process fails.
It doesn't commit any changes to the image.
After Configuration Manager commits changes to the image and unmounts it from the file system, it
exports the image to another file. This step uses the DISM parameter /Export-Image . It removes unneeded
files from the image, which reduces the size.
Microsoft recommends that you regularly apply updates to your offline images. You don't have to use this option
every time you service an image. When you do this process each month, this new option provides you the
greatest advantage by using it over time. For more information, see Recommendations for Install Software
Updates step.
While this option helps reduce the overall size of the serviced image, it does take longer to complete the process.
Use the wizard to schedule servicing during convenient times. It also requires additional storage on the site server.
You can customize the site to use an alternate location. For more information, see Specify the drive for offline OS
image servicing.
Process to optimize image servicing
1. Start the servicing process.
2. On the Set Schedule page, select the option to Remove superseded updates after the image is
updated . This option isn't automatically enabled. If the image has more than one index, you can't use this
option.
3. To schedule image servicing, complete the wizard.
Validate and monitor the process using the OfflineSer vicing.log .

Next steps
Create a task sequence to upgrade an OS
 Manage drivers in Configuration Manager
9/4/2020 • 15 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Configuration Manager provides a driver catalog that you can use to manage the Windows device drivers in your
Configuration Manager environment. Use the driver catalog to import device drivers into Configuration Manager,
to group them in packages, and to distribute those packages to distribution points. Device drivers can be used
when you install the full OS on the destination computer and when you use Windows PE in a boot image.
Windows device drivers consist of a setup information (INF) file and any additional files that are required to
support the device. When you deploy an OS, Configuration Manager obtains the hardware and platform
information for the device from its INF file.

Driver categories
When you import device drivers, you can assign the device drivers to a category. Device driver categories help
group similarly used device drivers together in the driver catalog. For example, set all network adapter device
drivers to a specific category. Then, when you create a task sequence that includes the Auto Apply Drivers step,
specify a category of device drivers. Configuration Manager then scans the hardware and selects the applicable
drivers from that category to stage on the system for Windows Setup to use.

Driver packages
Group similar device drivers in packages to help streamline OS deployments. For example, create a driver package
for each computer manufacturer on your network. You can create a driver package when importing drivers into
the driver catalog directly in the Driver Packages node. After you create a driver package, distribute it to
distribution points. Then Configuration Manager client computers can install the drivers as required.
Consider the following points:
When you create a driver package, the source location of the package must point to an empty network
share that's not used by another driver package. The SMS Provider must have Full control permissions to
that location.
When you add device drivers to a driver package, Configuration Manager copies it to the package source
location. You can add to a driver package only device drivers that you've imported and that are enabled in
the driver catalog.
You can copy a subset of the device drivers from an existing driver package. First, create a new driver
package. Then add the subset of device drivers to the new package, and then distribute the new package to
a distribution point.
When you use task sequences to install drivers, create driver packages that contain less than 500 device
drivers.
Create a driver package

IMPORTANT
To create a driver package, you must have an empty network folder that's not used by another driver package. In most
cases, create a new folder before you start this procedure.
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Operating
Systems , and then select the Driver Packages node.
2. On the Home tab of the ribbon, in the Create group, select Create Driver Package .
3. Specify a descriptive Name for the driver package.
4. Enter an optional Comment for the driver package. Use this description to provide information about the
contents or the purpose of the driver package.
5. In the Path box, specify an empty source folder for the driver package. Each driver package must use a
unique folder. This path is required as a network location.

IMPORTANT
The site server account must have Full control permissions to the specified source folder.

The new driver package doesn't contain any drivers. The next step adds drivers to the package.
If the Driver Packages node contains several packages, you can add folders to the node to separate the packages
into logical groups.
Additional actions for driver packages
You can do additional actions to manage driver packages when you select one or more driver packages from the
Driver Packages node.
Create Prestage Content file
Creates files that you can use to manually import content and its associated metadata. Use prestaged content
when you have low network bandwidth between the site server and the distribution points where the driver
package is stored.
Delete
Removes the driver package from the Driver Packages node.
Distribute Content
Distributes the driver package to distribution points, distribution point groups, and distribution point groups that
are associated with collections.
Manage Access Accounts
Adds, modifies, or removes access accounts for the driver package.
For more information about package access accounts, see Accounts used in Configuration Manager.
Move
Moves the driver package to another folder in the Driver Packages node.
Update Distribution Points
Updates the device driver package on all the distribution points where the package is stored. This action copies
only the content that has changed after the last time it was distributed.
Properties
Opens the Proper ties dialog box. Review and change the content and properties of the driver. For example,
change the name and description of the driver, enable or disable it, and specify on which platforms it can run.
Starting in version 1810, driver packages have metadata fields for Manufacturer and Model . Use these fields to
tag driver packages with information to assist in general housekeeping, or to identify old and duplicate drivers
that you can delete. On the General tab, select an existing value from the drop-down lists, or enter a string to
create a new entry.
In the Driver Packages node, these fields display in the list as the Driver Manufacturer and Driver Model
columns. They can also be used as search criteria.
Starting in version 1906, use these attributes to pre-cache content on a client. For more information, see
Configure pre-cache content.

Device drivers
You can install drivers on destination computers without including them in the OS image that is deployed.
Configuration Manager provides a driver catalog that contains references to all the drivers that you import into
Configuration Manager. The driver catalog is located in the Software Librar y workspace and consists of two
nodes: Drivers and Driver Packages . The Drivers node lists all the drivers that you've imported into the driver
catalog.
Import device drivers into the driver catalog
Before you can use a driver when you deploy an OS, import it into the driver catalog. To better manage them,
import only the drivers that you plan to install as part of your OS deployments. Store multiple versions of drivers
in the catalog to provide an easy way to upgrade existing drivers when hardware device requirements change on
your network.
As part of the import process for the device driver, Configuration Manager reads the following properties about
the driver:
Provider
Class
Version
Signature
Supported hardware
Supported platform information
By default, the driver is named after the first hardware device that it supports. You can rename the device driver
later. The supported platforms list is based on the information in the INF file of the driver. Because the accuracy of
this information can vary, manually verify that the driver is supported after you import it into the catalog.
After you import device drivers into the catalog, add them to driver packages or boot image packages.

IMPORTANT
You can't import device drivers directly into a subfolder of the Drivers node. To import a device driver into a subfolder, first
import the device driver into the Drivers node, and then move the driver to the subfolder.

Process to import Windows device drivers into the driver catalog

1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Operating
Systems , and select the Drivers node.
2. On the Home tab of the ribbon, in the Create group, select Impor t Driver to start the Impor t New
Driver Wizard .
3. On the Locate Driver page, specify the following options:
Impor t all drivers in the following network path (UNC) : To import all the device drivers in a
specific folder, specify its network path. For example: \\servername\share\folder .
 NOTE
If there are a lot of subfolders and a lot of driver INF files, this process can take time.

Impor t a specific driver : To import a specific driver from a folder, specify the network path to the
Windows device driver INF file.
Specify the option for duplicate drivers : Select how you want Configuration Manager to
manage driver categories when you import a duplicate device driver
Impor t the driver and append a new categor y to the existing categories
Impor t the driver and keep the existing categories
Impor t the driver and over write the existing categories
Do not impor t the driver

IMPORTANT
When you import drivers, the site server must have Read permission to the folder, or the import fails.

4. On the Driver Details page, specify the following options:

Hide drivers that are not in a storage or network class (for boot images) : Use this setting
to only display storage and network drivers. This option hides other drivers that aren't typically
needed for boot images, such as a video driver or modem driver.
Hide drivers that are not digitally signed : Microsoft recommends only using drivers that are
digitally signed
In the list of drivers, select the drivers that you want to import into the driver catalog.
Enable these drivers and allow computers to install them : Select this setting to let computers
install the device drivers. This option is enabled by default.

IMPORTANT
If a device driver is causing a problem or you want to suspend the installation of a device driver, disable it
during import. You can also disable drivers after you import them.

To assign the device drivers to an administrative category for filtering purposes, such as "Desktops"
or "Notebooks", select Categories . Then choose an existing category, or create a new category. Use
categories to control which device drivers are applied by the Auto Apply Drivers task sequence step.
5. On the Add Driver to Packages page, choose whether to add the drivers to a package.
Select the driver packages that are used to distribute the device drivers.
If necessary, select New Package to create a new driver package. When you create a new driver
package, provide a network share that's not in use by other driver packages.
If the package has already been distributed to distribution points, select Yes in the dialog box to
update the boot images on distribution points. You can't use device drivers until they're distributed
to distribution points. If you select No , run the Update Distribution Point action before using the
boot image. If the driver package has never been distributed, you must use the Distribute Content
action in the Driver Packages node.
6. On the Add Driver to Boot Images page, choose whether to add the device drivers to existing boot
 images.

NOTE
Add only storage and network drivers to the boot images.

Select Yes in the dialog box to update the boot images on distribution points. You can't use device
drivers until they're distributed to distribution points. If you select No , run the Update
Distribution Point action before using the boot image. If the driver package has never been
distributed, you must use the Distribute Content action in the Driver Packages node.
Configuration Manager warns you if the architecture for one or more drivers doesn't match the
architecture of the boot images that you selected. If they don't match, select OK . Go back to the
Driver Details page, and clear the drivers that don't match the architecture of the selected boot
image. For example, if you select an x64 and x86 boot image, all drivers must support both
architectures. If you select an x64 boot image, all drivers must support the x64 architecture.

NOTE
The architecture is based on the architecture reported in the INF from the manufacturer.
If a driver reports it supports both architectures, then you can import it into either boot image.

Configuration Manager warns you if you add device drivers that aren't network or storage drivers to
a boot image. In most cases, they aren't necessary for the boot image. Select Yes to add the drivers
to the boot image, or No to go back and modify your driver selection.
Configuration Manager warns you if one or more of the selected drivers aren't properly digitally
signed. Select Yes to continue, and select No to go back and make changes to your driver selection.
7. Complete the wizard.
Manage device drivers in a driver package
Use the following procedures to modify driver packages and boot images. To add or remove a driver, first locate it
in the Drivers node. Then edit the packages or boot images with which the selected driver is associated.
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Operating
Systems , and then select the Drivers node.
2. Select the device drivers that you want to add to a driver package.
3. On the Home tab of the ribbon, in the Driver group, select Edit , and then choose Driver Packages .
4. To add a device driver, select the check box of the driver packages to which you want to add the device
drivers. To remove a device driver, clear the check box of the driver packages from which you want to
remove the device driver.
If you're adding device drivers that are associated with driver packages, you can optionally create a new
package. Select New Package , which opens the New Driver Package dialog box.
5. If the package has already been distributed to distribution points, select Yes in the dialog box to update the
boot images on distribution points. You can't use device drivers until they're distributed to distribution
points. If you select No , run the Update Distribution Point action before using the boot image. If the
driver package has never been distributed, you must use the Distribute Content action in the Driver
Packages node. Before the drivers are available, you must update the driver package on distribution
points.
 Select OK when finished.
Manage device drivers in a boot image
You can add to boot images Windows device drivers that have been imported into the catalog. Use the following
guidelines when you add device drivers to a boot image:
Add only storage and network drivers to boot images. Other types of drivers aren't usually required in
Windows PE. Drivers that aren't required unnecessarily increase the size of the boot image.
Add only device drivers for Windows 10 to a boot image. The required version of Windows PE is based on
Windows 10.
Make sure that you use the correct device driver for the architecture of the boot image. Don't add an x86
device driver to an x64 boot image.
Process to modify the device drivers associated with a boot image
1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Operating
Systems , and then select the Drivers node.
2. Select the device drivers that you want to add to the driver package.
3. On the Home tab of the ribbon, in the Driver group, select Edit , and then choose Boot images .
4. To add a device driver, select the check box of the boot image to which you want to add the device drivers.
To remove a device driver, clear the check box of the boot image from which you want to remove the device
driver.
5. If you don't want to update the distribution points where the boot image is stored, clear the Update
distribution points when finished check box. By default, the distribution points are updated when the
boot image is updated.
Select Yes in the dialog box to update the boot images on distribution points. You can't use device
drivers until they're distributed to distribution points. If you select No , run the Update
Distribution Point action before using the boot image. If the driver package has never been
distributed, you must use the Distribute Content action in the Driver Packages node.
Configuration Manager warns you if the architecture for one or more drivers doesn't match the
architecture of the boot images that you selected. If they don't match, select OK . Go back to the
Driver Details page and clear the drivers that don't match the architecture of the selected boot
image. For example, if you select an x64 and x86 boot image, all drivers must support both
architectures. If you select an x64 boot image, all drivers must support the x64 architecture.

NOTE
The architecture is based on the architecture reported in the INF from the manufacturer.
If a driver reports it supports both architectures then you can import it into either boot image.

Configuration Manager warns you if you add device drivers that aren't network or storage drivers to
a boot image. In most cases, they aren't necessary for the boot image. Select Yes to add the drivers
to the boot image or No to go back and modify your driver selection.
Configuration Manager warns you if one or more of the selected drivers aren't properly digitally
signed. Select Yes to continue or select No to go back and make changes to your driver selection.
Additional actions for device drivers
You can do additional actions to manage drivers when you select them in the Drivers node.
Categorize
Clears, manages, or sets an administrative category for the selected drivers.
Delete
Removes the driver from the Drivers node and also removes the driver from the associated distribution points.
Disable
Prohibits the driver from being installed. This action temporarily disables the driver. The task sequence can't install
a disabled driver when you deploy an OS.

NOTE
This action only prevents drivers from installing using the Auto Apply Driver task sequence step.

Enable
Lets Configuration Manager client computers and task sequences install the device driver when you deploy the
OS.
Move
Moves the device driver to another folder in the Drivers node.
Properties
Opens the Proper ties dialog box. Review and change the properties of the driver. For example, change its name
and description, enable or disable it, and specify which platforms it can run on.

Use task sequences to install drivers

Use task sequences to automate how the OS is deployed. Each step in the task sequence can do a specific action,
such as installing a driver. You can use the following two task sequence steps to install device drivers when you
deploy an OS:
Auto Apply Drivers: This step lets you automatically match and install device drivers as part of an operating
system deployment. You can configure the task sequence step to install only the best matched driver for
each detected hardware device. Alternatively, specify that the step installs all compatible drivers for each
detected hardware device, and then let Windows Setup choose the best driver. You can also specify a driver
category to limit the drivers that are available for this step.
Apply Driver Package: This step lets you make all device drivers in a specific driver package available for
Windows Setup. In the specified driver packages, Windows Setup searches for the device drivers that are
required. When you create stand-alone media, you must use this step to install device drivers.
When you use these task sequence steps, you can also specify how the drivers are installed on the computer
where you deploy the OS. For more information, see Manage task sequences to automate tasks.

Driver reports
You can use several reports in the Driver Management reports category to determine general information
about the device drivers in the driver catalog. For more information about reports, see Introduction to reporting.
 Manage user state in Configuration Manager
9/4/2020 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use Configuration Manager task sequences to capture and restore the user state data in operating
system deployment scenarios where you want to retain the user state of the current operating system. For
example:
Deployments where you want to capture the user state from one computer to restore it on another
computer.
Update deployments where you want to capture and restore the user state on the same computer.
Configuration Manager uses the User State Migration Tool (USMT) 10.0 to manage the migration of user state
data from a source computer to a destination computer after the operating system installation completes. For
more information about common migration scenarios for the USMT 10.0, see Common Migration Scenarios.
Use the following sections to help you capture and restore user data.

Store user state data

When you capture user state, you can store the user state data on the destination computer or on a state
migration point. To store the user state on a user state migration point, you must use a Configuration Manager
site system server that hosts the state migration point site system role. To store the user state on the destination
computer, you must configure your task sequence to store the data locally using links.

NOTE
The links that are used to store the user state locally are referred to as hard-links. Hard-links is a USMT 10.0 feature that
scans the computer for user files and settings and then creates a directory of hard-links to those files. The hard-links are
then used to restore the user data after the new operating system is deployed.

IMPORTANT
You cannot use a state migration point and use hard-links to store the user state data at the same time.

When the user state information is captured, the information can be stored in one of the following ways:
You can store the user state data remotely by configuring a state migration point. The Capture task
sequence sends the data to the state migration point. Then, after the operating system is deployed, the
Restore task sequence retrieves the data and restores the user state on the destination computer.
You can store the user state data locally to a specific location. In this scenario, the Capture task sequence
copies the user data to a specific location on the destination computer. Then, after the operating system is
deployed, the Restore task sequence retrieves the user data from that location.
You can specify hard links that can be used to restore the user data to its original location. In this scenario,
the user state data remains on the drive when the old operating system is removed. Then, after the new
operating system is deployed, the Restore task sequence uses the hard-links to restore the user state data
to its original location.
Store user data on a state migration point
To store the user state data on a state migration point, you must do the following:
1. Configure a state migration point to store the user state data.
2. Create a computer association between the source computer and the destination computer. You must
create this association before you capture the user state on the source computer.
3. Create a task sequence to capture and restore user state. Specifically, you must add the following task
sequence steps to capture user data from a computer, store the user date on a state migration point, and
restore the user data to a computer:
Request State Store to request access to a state migration point when capturing state from a
computer or restoring state to a computer.
Capture User State to capture and store the user state data on the state migration point.
Restore User State to restore the user state on the destination computer by retrieving the data from
a user state migration point.
Release State Store to notify the state migration point that the capture or restore action is complete.
Store user data locally
To store the user state data locally, you must do the following:
Create a task sequence to capture and restore user state. Specifically, you must add the following task
sequence steps to capture user data from a computer and restore the user data to a computer by using
hard-links;
Capture User State to capture and store the user state data to a local folder by using hard-links.
Restore User State to restore the user state on the destination computer by retrieving the data by
using hard-links.

NOTE
The user state data that the hard-links reference remains on the computer after the task sequence removes
the old operating system. This is the data that is used to restore the user state when the new operating
system is deployed.

Configure a state migration point

The state migration point stores user state data that is captured on one computer and then restored on another
computer. However, when you capture user settings for an operating system deployment on the same computer,
such as a deployment where you refresh the operating system on the destination computer, you can store the
data on the same computer by using hard-links or on a state migration point. For some computer deployments,
when you create the state store, Configuration Manager automatically creates an association between the state
store and the destination computer. You can use the following methods to configure a state migration point to
store the user state data:
Use the Create Site System Ser ver Wizard to create a new site system server for the state migration
point.
Use the Add Site System Roles Wizard to add a state migration point to an existing server.
When you use these wizards, you are prompted to provide the following information for the state
migration point:
 The folders to store the user state data.
The maximum number of clients that can store data on the state migration point.
The minimum free space for the state migration point to store user state data.
The deletion policy for the role. You can specify that the user state data is deleted immediately after it is
restored on a computer, or after a specific number of days after the user data is restored on a computer.
Whether the state migration point responds only to requests to restore user state data. When you enable
this option, you cannot use the state migration point to store user state data.
For more information about the state migration point and the steps to configure it, see State migration
point.

Create a computer association

Create a computer association to define a relationship between a source computer and a destination computer
when you install an operating system on new hardware and want to capture and restore user data settings. The
source computer is an existing computer that Configuration Manager manages. When you deploy the new
operating system to the destination computer, the source computer contains the user state that is migrated to the
destination computer.

NOTE
It is not supported to create a computer association between computers located in a Configuration Manager parent site
with computers located in a child site. Computer Associations are site specific and do not replicate.

To create a computer association

1. In the Configuration Manager console, click Assets and Compliance .
2. In the Assets and Compliance workspace, click User State Migration .
3. On the Home tab, in the Create group, click Create Computer Association .
4. On the Computer Association tab of the Computer Association Proper ties dialog box, specify the
source computer that has the user state to capture, and the destination computer on which to restore the
user state data.
5. On the User Accounts tab, specify the user accounts to migrate to the destination computer. Specify one
of the following settings:
Capture and restore all user accounts : This setting captures and restores all user accounts. Use
this setting to create multiple associations to the same source computer.
Capture all user accounts and restore specified accounts : This setting captures all user
accounts on the source computer and only restores the accounts that you specify on the destination
computer. In addition, you can use this setting when you want to create multiple associations to the
same source computer.
Capture and restore specified user accounts : This setting captures and restores only the
accounts that you specify. You cannot create multiple associations to the same source computer
when you select this setting.

Restore user state data when an operating system deployment fails

If the operating system deployment fails, use the USMT 10.0 LoadState feature to retrieve the user states data
that was captured during the deployment process. This includes data that is stored on a state migration point or
data that is saved locally on the destination computer. For more information on this USMT feature, see LoadState
Syntax.
 Prepare for unknown computer deployments in
Configuration Manager
4/20/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use the information in this topic to deploy operating systems to unknown computers in your Configuration
Manager environment. An unknown computer is a computer that is not managed by Configuration Manager. This
means that there is no record of these computers in the Configuration Manager database. Unknown computers
include the following:
A computer where the Configuration Manager client is not installed
A computer that is not imported into Configuration Manager
A computer that is not been discovered by Configuration Manager
You can deploy operating systems to unknown computers with the following deployment methods:
Use PXE to deploy Windows over the network
Use bootable media to deploy an operating system
Use prestaged media to deploy an operating system

Unknown computer deployment workflow

The following is the basic workflow to deploy an operating system to an unknown computer:
Select an unknown computer object to use in the deployment. You can deploy the operating system to one
of the unknown computer objects in the All Unknown Computers collection or you can add the objects in
the All Unknown Computer collection to another collection. Configuration Manager provides two
unknown computer objects in the All Unknown Computers collection. One object is for x86 computers
and the other object is for x64 computers.

NOTE
The x86 Unknown Computer object is for computers that are only x86 capable. The x64 Unknown Computer
object is for computers that are x86 and x64 capable. In other words, these objects describe the architecture of the
destination computer. They do not describe the operating system that you want to deploy to the destination
computer.

Configure a PXE-enabled distribution point or create media to support unknown computer deployments.
Deploy the task sequence to install the operating system.

Unknown Computer Installation Process

When a computer is first started from PXE or from media, Configuration Manager checks to see if a record for that
computer exists in the Configuration Manager database. If there is a record, Configuration Manager then checks to
see if there are any task sequences deployed to the record. If there is not a record, Configuration Manager checks
to see if there are any task sequences deployed to an unknown computer object. In either case, Configuration
Manager then performs one of the following actions:
If there is an available task sequence, Configuration Manager prompts the user to run the task sequence.
If there is a required task sequence, Configuration Manager automatically runs the task sequence.
If a task sequence is not deployed for the record, Configuration Manager generates an error that there is no
deployed task sequence for the destination computer.
When an unknown computer is started, Configuration Manager recognizes the computer as an
unprovisioned computer rather than an unknown computer. This means that the computer can now receive
the task sequences that were deployed to the unknown computer object. The deployed task sequence then
installs an operating system image that must include the Configuration Manager client.
After the Configuration Manager client is installed, a record for the computer is created and the computer is
listed in the appropriate Configuration Manager collection. If the computer fails to install the operating
system image or the Configuration Manager client, an "Unknown" record for the computer is created and
the computer appears in the All Systems collection.

NOTE
During the installation of the operating system image, the task sequence can retrieve collection variables but not computer
variables from this computer.

Enabling Unknown Computer Support

Use the following to enable unknown computer support when you deploy an operating system by using PXE,
bootable media, and prestaged media.
PXE
Select the Enable unknown computer suppor t check box on the PXE tab for a distribution point that is
enabled for PXE. For more information, see Configuring distribution points to accept PXE requests.
Bootable media
Select the Enable unknown computer suppor t check box on the Security page of the Create Task
Sequence Media Wizard. For more information, see Configuring distribution points to accept PXE requests
and Use PXE to deploy Windows over the network with Configuration Manager.
Prestaged media
Select the Enable unknown computer suppor t check box on the Security page of the Create Task
Sequence Media Wizard. For more information, see Create prestaged media with Configuration Manager.
 Associate users with a destination computer in
Configuration Manager
4/20/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use Configuration Manager to deploy operating systems, you can associate users with the destination
computer. This option works whether a single user or multiple users are the primary users of the destination
computer.
User device affinity supports user-centric management for when you deploy applications. When you associate a
user with the destination computer on which to install an OS, you can later deploy applications to that user, and
the applications automatically install on the destination computer. While you can configure support for user device
affinity during OS deployment, you can't use user device affinity to deploy the OS.
For more information about user device affinity, see Link users and devices with user device affinity.
There are several methods by which you can integrate user device affinity into your OS deployments. You can
integrate user device affinity into PXE deployments, bootable media deployments, and pre-staged media
deployments.
Create a task sequence that includes the SMSTSAssignUsersMode variable
Add the SMSTSAssignUsersMode variable to the beginning of your task sequence by using the Set Task
Sequence Variable step. This variable specifies how the task sequence handles the user information.
For more information, see Task sequence variables.
Create a prestart command that gathers the user information
The prestart command can be a VBScript with an input box. It can also be an HTML application (HTA) that validates
the user data that they enter.
This prestart command must set the SMSTSUDAUsers variable that's used when the task sequence runs. This
variable can be set on a computer, a collection, or a task sequence variable.
For more information, see Task sequence variables.
Configure how distribution points and media associate the user with the destination computer
The distribution point or media supports associating users with the destination computer where the OS is
deployed. Use one of the following methods:
Configure a distribution point to accept PXE boot requests
Create bootable media
Create pre-staged media
Configuring user device affinity support doesn't have a built-in method to validate the user identity. This behavior
is important when a technician is provisioning the computer and enters the information on behalf of the user. In
addition to setting how task sequence handles the user information, configuring these options on the distribution
point and media provides the ability to restrict the deployments that are started from a PXE boot or from a specific
type of media.
 Prepare Windows PE peer cache to reduce WAN
traffic in Configuration Manager
4/20/2020 • 6 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you deploy a new operating system in Configuration Manager, computers that run the task sequence can use
Windows PE Peer Cache to obtain content from a local peer (a peer cache source) instead of downloading content
from a distribution point. This helps minimize wide area network (WAN) traffic in branch office scenarios where
there is no local distribution point.
Windows PE Peer Cache is similar to Windows BranchCache, but functions in the Windows Preinstallation
Environment (Windows PE). The following terms are used to describe the clients that use Windows PE Peer Cache:
A peer cache client is a computer that is configured to use Windows PE Peer Cache.
A peer cache source is a client that is configured for peer cache and that makes content available to other
peer cache clients that request that content.
Use the following sections to manage Peer Cache.

Objects stored on a Peer Cache source

A task sequence configured to use Windows PE Peer Cache can get the following content objects while running in
Windows PE:
Operating system image
Driver package
Packages and Programs (When the client continues to run the task sequence in the full operating system, the
client gets this content from a peer cache source if the task sequence was originally configured for peer
cache when running in Windows PE.)
Additional boot images
The following content objects never transfer using peer cache. Instead, they transfer from a distribution point
or by Windows BranchCache if you have configured Windows BranchCache in your environment:
Applications
Software updates

How does Windows PE Peer Cache work?

Consider a scenario with a branch office that does not have a distribution point but does have several clients
enabled to use Windows PE Peer Cache. You deploy the task sequence configured to use peer cache to several
clients that are configured to be part of the peer cache source. The first client to run the task sequence broadcasts a
request for a peer with the content. It doesn't find one so it gets the content from a distribution point across the
WAN. The client installs the new image and then stores the content in its Configuration Manager client cache so it
can function as a peer cache source to other clients. When the next client runs the task sequence, it broadcasts a
request on the subnet for a peer cache source, and that first client responds and makes its cached content available.
Determine what clients will be part of the Windows PE Peer Cache
source
To help you determine what computers to select as a Windows PE Peer Cache source, there are several things that
you should consider:
The Windows PE Peer Cache source should be a desktop computer that is always powered on and available
to peer cache clients.
The Windows PE Peer Cache has a client cache size sufficient to store the images.

Requirements for a client to use a Windows PE Peer Cache source

For clients to use a Windows PE Peer Cache source, they must meet the following requirements:
The Configuration Manager client must be able to communicate across the following ports on your network:
Port for the initial network broadcast to find a peer cache source. By default, this is UDP port 8004.
Port for content downloading from a peer cache source (HTTP and HTTPS). By default, this is TCP port
8003.
For more information, see Ports used for connections.

TIP
Clients will use HTTPS to download content when it is available. However, the same port number is used for
either HTTP or HTTPS.

Configure the Client Cache for Configuration Manager Clients on clients to ensure they have enough space
to hold and store the images you deploy. Windows PE Peer Cache does not affect the configuration or
behavior of the client cache.
The deployment options for the task sequence deployment must be configured as Download content locally
when needed by task sequence.

Configure Windows PE Peer Cache

You can use the following methods to provision a client with peer cache content so it can serve as a peer cache
source:
A peer cache client that cannot find a peer cache source with the content will download it from a distribution
point. If the client receives client settings that enable peer cache and the task sequence is configured to
preserve the cached content, the client becomes a peer cache source.
A peer cache client can get content from another peer cache client (a peer cache source). Because the client is
configured for peer cache, when it runs a task sequence that is configured to preserve the cached content,
the client becomes a peer cache source.
A client runs a task sequence that includes the optional step, Download Package Content, which is used to
prestage the relevant content that is included in the Windows PE Peer Cache task sequence. When you use
this method:
The client does not need to install the image that is being deployed.
In addition to the Download Package Content option, the task sequence must also use the
Configuration Manager client cache option. You use this option to store the content in the clients
 cache so the client can act as a peer cache source for other peer cache clients.
The following procedures will help you configure Windows PE Peer Cache on clients and configure task
sequences that support peer cache.
To configure the Windows PE Peer Cache source computers
1. In the Configuration Manager console, navigate to Administration > Client Settings , and then create a
new Custom Client Device Settings or edit an existing settings object. You can also configure this for the
Default Client Settings object.

TIP
Use a custom settings object to manage which clients receive this configuration. For example, you might want to
avoid configuring this on the laptops of users who are frequently on the move. A highly mobile system can be a poor
source to provide content to other peer cache clients.
Also remember that when you configure this setting as part of the Default Client Settings , the configuration
applies to all clients in your environment.

2. Under Client Cache Settings , set Enable Configuration Manager client in full OS to share content
to Yes .
By default, only HTTP is enabled. If you want to enable clients to download content over HTTPS, set
Enable HTTPS for client peer communication to Yes .
By default, the port for broadcasts is set to 8004 and the port for content downloads is set to 8003.
You can change both.
3. Save and deploy the Client Settings to the clients that you select to be a peer cache source.
After a device is configured with this settings object, the device is configured to act as a peer cache source.
These settings should be deployed to potential peer cache clients to configure the required ports and
protocols.
Configure a task sequence for Windows PE Peer Cache
When you configure the task sequence, use the following task sequence variables as Collection Variables on the
collection to which the task sequence is deployed:
SMSTSPeerDownload
Value: TRUE
This enables the client to use Windows PE Peer Cache.
SMSTSPeerRequestPor t
Value: <Port number>
When you do not use the default port configured in the Client Settings (8004), you must configure this
variable with a custom value of the network port to use for the initial broadcast.
SMSTSPreser veContent
Value: TRUE
This flags the content in the task sequence to be retained in the Configuration Manager client cache after the
deployment. This is different than using SMSTSPersisContent which only preserves the content for the
duration of the task sequence and uses the task sequence cache, not the Configuration Manager client cache.
For more information, see Task sequence variables.
Validate the success of using Windows PE peer cache
After you use Windows PE peer cache to deploy and install a task sequence, you can confirm that peer cache was
successfully used in the process by viewing the smsts.log on the client that ran the task sequence.
In the log, locate an entry similar to the following where <SourceServerName> identifies the computer from which
the client obtained the content. This computer should be a peer cache source, and not a distribution point server.
Other details will vary based on your local environment and configurations.
<![LOG[Downloaded file from http://
<SourceServerName>:8003/SCCM_BranchCache$/SS10000C/sccm?/install.wim to
C:\_SMSTaskSequence\Packages\SS10000C\install.wim ]LOG]!><time="14:24:33.329+420" date="06-26-
2015" component="ApplyOperatingSystem" context="" type="1" thread="1256"
file="downloadcontent.cpp:1626">
 OS deployment methods with Configuration
Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

There are different methods that you can use to deploy an OS in your Configuration Manager environment:
Use PXE to deploy Windows over the network
Use Software Center to deploy Windows over the network
Use bootable media to deploy Windows over the network
Use standalone media to deploy Windows without using the network
Use multicast to deploy Windows over the network
Create an image for an OEM in factory or a local depot
Create a task sequence for non-OS deployments
Deploy Windows to Go
 Use PXE to deploy Windows over the network with
Configuration Manager
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Preboot execution environment (PXE)-initiated OS deployments in Configuration Manager let clients request and
deploy operating systems over the network. For this deployment method, you send the OS image and the boot
images to a PXE-enabled distribution point.

NOTE
When you create an OS deployment that targets only x64 BIOS computers, both the x64 boot image and x86 boot image
must be available on the distribution point.

You can use PXE-initiated OS deployments in the following scenarios:

Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Complete the steps in one of the OS deployment scenarios, and then use the sections in this article to prepare
for PXE-initiated deployments.

WARNING
If you use PXE deployments, and configure device hardware with the network adapter as the first boot device, these
devices can automatically start an OS deployment task sequence without user interaction. Deployment verification doesn't
manage this configuration. While this configuration may simplify the process and reduce user interaction, it puts the
device at greater risk for accidental reimage.

Starting in version 2006, PXE-based task sequences can download cloud-based content. The PXE-enabled
distribution point still requires the boot image, and the device needs an intranet connection to the management
point. It can then get additional content from a content-enabled cloud management gateway (CMG) or cloud
distribution point. For more information, see Support for cloud-based content.

Configure distribution points for PXE

To deploy operating systems to Configuration Manager clients that make PXE boot requests, configure one or
more distribution points to accept PXE requests. Then the distribution point responds to PXE boot requests, and
determines the appropriate deployment action. For more information, see Install or modify a distribution point.

NOTE
When you configure a single PXE-enabled distribution point to support multiple subnets, it's not supported to use DHCP
options. To allow the network to forward client PXE requests to PXE-enabled distribution points, configure IP helpers on
the routers.

In version 1810, it's not supported to use the PXE responder without WDS on servers that are also running a
DHCP server.
Starting in version 1902, when you enable a PXE responder on a distribution point without Windows
Deployment Service, it can now be on the same server as the DHCP service. Add the following settings to
support this configuration:
Set the DWord value DoNotListenOnDhcpPor t to 1 in the following registry key:
HKLM\Software\Microsoft\SMS\DP .
Set DHCP option 60 to PXEClient .
Restart the SCCMPXE and DHCP services on the server.

Prepare a PXE-enabled boot image

To use PXE to deploy an OS, distribute both x86 and x64 PXE-enabled boot images to one or more PXE-enabled
distribution points.
To enable PXE on a boot image, select Deploy this boot image from the PXE-enabled distribution
point from the Data Source tab in the boot image properties.
When you change the properties for the boot image, update and redistribute the boot image to
distribution points. For more information, see Distribute content.

Manage duplicate hardware identifiers

Configuration Manager may recognize multiple computers as the same device if they have duplicate SMBIOS
attributes or you use a shared network adapter. Mitigate these issues by managing duplicate hardware identifiers
in hierarchy settings. For more information, see Manage duplicate hardware identifiers.

Create an exclusion list for PXE deployments

NOTE
In some circumstances, the process to Manage duplicate hardware identifiers may be easier.
The behaviors of each can cause different results in some scenarios. The exclusion list never boots a client with the listed
MAC address, no matter what.
The duplicate ID list doesn't use the MAC address to find the task sequence policy for a client. If it matches the SMBIOS ID,
or if there's a task sequence policy for unknown machines, the client still boots.

When you deploy operating systems with PXE, you can create an exclusion list on each distribution point. Add
the MAC addresses to the exclusion list of the computers you want the distribution point to ignore. Listed
computers don't receive the deployment task sequences that Configuration Manager uses for PXE deployment.
1. Create a text file on the PXE-enabled distribution point. For example, name the file pxeExceptions.txt .
2. Use a plain text editor, such as Notepad, to edit the file. Add the MAC addresses of the computers that the
PXE-enabled distribution point should ignore. Separate the MAC address values by colons, and enter each
address on a separate line. For example: 01:23:45:67:89:ab
3. Save the text file on the PXE-enabled distribution point. You can save it to any location on the server.
4. Edit the registry on the PXE-enabled distribution point. Browse to the following registry path:
HKLM\Software\Microsoft\SMS\DP . Create a MACIgnoreListFile string value. Add the full path to the text
file on the PXE-enabled distribution point.
 WARNING
If you use the Registry Editor incorrectly, you might cause serious problems that may require you to reinstall
Windows. Microsoft can't guarantee that you can solve problems that result from using the Registry Editor
incorrectly. Use the Registry Editor at your own risk.

5. After you make this registry change, restart the WDS service or PXE responder service. You don't need to
restart the server.

RamDisk TFTP block size and window size

You can customize the RamDisk TFTP block and window sizes for PXE-enabled distribution points. If you've
customized your network, a large block or window size could cause the boot image download to fail with a time-
out error. The RamDisk TFTP block and window size customizations allow you to optimize TFTP traffic when
using PXE to meet your specific network requirements. To determine what configuration is most efficient, test the
customized settings in your environment. For more information, see Customize the RamDisk TFTP block size and
window size on PXE-enabled distribution points.

Configure deployment settings

To use a PXE-initiated OS deployment, configure the deployment to make the OS available for PXE boot requests.
Configure available operating systems on the Deployment Settings tab in the deployment properties. For the
Make available to the following setting, select one of the following options:
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)

Option 82 during PXE DHCP handshake

Starting with version 1906, Configuration Manager supports option 82 during the PXE DHCP handshake with
the PXE responder without WDS. If you require option 82, make sure to use the PXE responder without WDS.
Configuration Manager doesn't support option 82 with WDS.

Deploy the task sequence

Deploy the OS to a target collection. For more information, see Deploy a task sequence. When you deploy
operating systems by using PXE, you can configure whether the deployment is required or available.
Required deployment : Required deployments use PXE without any user intervention. The user can't
bypass the PXE boot. However, if the user cancels the PXE boot before the distribution point responds, the
OS isn't deployed.
Available deployment : Available deployments require that the user is present at the destination
computer. A user must press the F12 key to continue the PXE boot process. If a user isn't present to press
F12 , the computer boots into the current OS, or from the next available boot device.
You can redeploy a required PXE deployment by clearing the status of the last PXE deployment assigned to a
Configuration Manager collection or a computer. For more information on the Clear Required PXE
Deployments action, see Manage clients or Manage collections. This action resets the status of that deployment
and reinstalls the most recent required deployments.
 IMPORTANT
The PXE protocol isn't secure. Make sure that the PXE server and the PXE client are located on a physically secure network,
such as in a data center, to prevent unauthorized access to your site.

How the boot image is selected for PXE

When a client boots with PXE, Configuration Manager provides the client with a boot image to use. Configuration
Manager uses a boot image with an exact architecture match. If a boot image with the exact architecture isn't
available, Configuration Manager uses a boot image with a compatible architecture.
The following list provides details about how a boot image is selected for clients booting with PXE:
1. Configuration Manager looks in the site database for the system record that matches the MAC address or
SMBIOS of the client that's trying to boot.

NOTE
If a computer that's assigned to a site boots to PXE for a different site, the policies aren't visible for the computer.
For example, if a client is already assigned to site A, the management point and distribution point for site B aren't
able to access the policies from site A. The client doesn't successfully PXE boot.

2. Configuration Manager looks for task sequences that are deployed to the system record found in step 1.
3. In the list of task sequences found in step 2, Configuration Manager looks for a boot image that matches
the architecture of the client that's trying to boot. If a boot image is found with the same architecture, that
boot image is used.
If it finds more than one boot image, it uses the highest or most recent task sequence deployment ID. In
the case of a multi-site hierarchy, the higher letter site would take precedence in that string comparison.
For example, if they're both matched otherwise, a year-old deployment from site ZZZ is selected over
yesterday's deployment from site AAA.
4. If a boot image isn't found with the same architecture, Configuration Manager looks for a boot image
that's compatible with the architecture of the client. It looks in the list of task sequences found in step 2.
For example, a 64-bit BIOS/MBR client is compatible with 32-bit and 64-bit boot images. A 32-bit
BIOS/MBR client is compatible with only 32-bit boot images. UEFI clients are only compatible with
matching architecture. A 64-bit UEFI client is compatible with only 64-bit boot images and a 32-bit UEFI
client is compatible with only 32-bit boot images.

Next steps
User experiences for OS deployment
 Use Software Center to deploy Windows over the
network with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can make a task sequence that installs an OS available in Software Center. A user can run a task sequence
from Software Center for the following OS deployment scenarios:
Refresh an existing computer with a new version of Windows
Upgrade Windows to the latest version
Create a task sequence for non-OS deployments
Complete the steps in one of those OS deployment scenarios. Then use the following sections to prepare for
deployments that are available in Software Center.

Deploy the task sequence

Deploy the task sequence to a target collection. For more information, see Deploy a task sequence.
On the Deployment Settings page of the deployment, for the Make available to the following setting, select
one of the following options:
Only Configuration Manager Clients
Configuration Manager clients, media and PXE
Also configure whether the deployment is required or available:
Required deployment: Required deployments make the task sequence available in Software Center. It
automatically starts at the configured deadline.
Available deployment: The task sequence is available in Software Center, and a user can install it on
demand.
After you create the deployment, clients in the target collection will show the task sequence in Software Center.

Next steps
User experiences for OS deployment
 Use bootable media to deploy Windows over the
network with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Bootable media only includes the boot image and a pointer to the task sequence. It downloads the OS image and
other referenced content from the network. Since the bootable media doesn't contain much content, you can
update the task sequence and most content without having to replace the media.
Deploy operating systems over the network with boot media in the following scenarios:
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Replace an existing computer and transfer settings
Complete the steps in one of the OS deployment scenarios and then use the following sections to use bootable
media to deploy the OS.

Configure deployment settings

When you use bootable media to start the OS deployment process, configure the task sequence deployment to
make the OS available to the media. Set this option on the Deployment Settings page of the deployment. For
the Make available to the following setting, select one of the following options:
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)
For more information, see Deploy a task sequence.

Create the bootable media

When you create bootable media, specify whether it's a USB flash drive or CD/DVD set. The computer that starts
the media must support the option that you choose as a bootable drive. For more information, see Create
bootable media.

Install the OS from bootable media

To install the OS, insert the bootable media, and then power on the computer.

Support for cloud-based content

Starting in version 2006, bootable media can download cloud-based content. For example, you send a USB key to
a user at a remote office to reimage their device. Or an office that has a local PXE server, but you want devices to
prioritize cloud services as much as possible. Instead of further taxing the WAN to download large OS deployment
content, boot media and PXE deployments can now get content from cloud-based sources. For example, a cloud
management gateway (CMG) that you enable to share content.
 NOTE
The device still needs an intranet connection to the management point.

When the task sequence runs, it downloads content from the cloud-based sources. Review smsts.log on the
client.
Prerequisites
Enable the following client setting in the Cloud Ser vices group: Allow access to cloud distribution
point . Make sure the client setting is deployed to the target clients. For more information, see About client
settings - Cloud services.
For the boundary group that the client is in:
Associate the content-enabled CMG or cloud distribution point site systems. For more information,
see Configure a boundary group.
Enable the following option: Prefer cloud based sources over on-premise sources . For more
information, see Boundary group options for peer downloads.
Distribute the content referenced by the task sequence to the content-enabled CMG or cloud distribution
point.

Next steps
User experiences for OS deployment
 Use standalone media to deploy Windows without
using the network
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Standalone media in Configuration Manager contains everything required to deploy an OS on a computer. The
media includes the boot image, OS image, task sequence policy, applications, drivers, and more. Standalone media
deployments let you deploy operating systems in the following conditions:
In environments where it isn't practical to copy an OS image or other large packages over the network.
In environments without network connectivity or low-bandwidth network connectivity.
Use standalone media in the following OS deployment scenarios:
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Upgrade Windows to the latest version
Complete the steps in one of these OS deployment scenarios. Then use the following sections to prepare for and
create the standalone media.

Unsupported task sequence actions

When you use standalone media, Configuration Manager doesn't support the following actions in the task
sequence:
The Auto Apply Drivers step. Automatic application of device drivers from the driver catalog isn't
supported. To make a specific set of drivers available to Windows Setup, use the Apply Driver Package step.
Installing software updates.
Installing software before deploying the OS.
Associating users with the destination computer for user device affinity.
Dynamic package installs with the Install Package step.
Dynamic application installs with the Install Application step.
 NOTE
If your task sequence to deploy an OS includes the Install Package step, and you create the standalone media at a central
administration site (CAS), an error might occur. The CAS doesn't have the necessary client configuration policies to enable
the software distribution agent when the task sequence runs. The following error might appear in the CreateTsMedia.log
file:
"WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)"

For standalone media that includes an Install Package step, create the standalone media at a primary site that has the
software distribution agent enabled
Alternatively, edit the task sequence to add a Run Command Line step after the Setup Windows and ConfigMgr step. This
Run Command Line step runs the following WMI command to enable the software distribution agent before the first
Install Package step runs:

WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE

ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local",
PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE

Configure deployment settings

When you use standalone media to start the OS deployment process, configure the deployment to make the OS
available to media. On the Deployment Settings page of the deployment, for the Make available to the
following setting, select one of the following options:
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)

Create the standalone media

You can specify whether the standalone media is a USB flash drive or CD/DVD set. The computer that will start the
media must support the option that you choose as a bootable drive. For more information, see Create standalone
media.

Install the OS from standalone media

To install the OS, insert the standalone media to the computer, and then power it on.

Next steps
User experiences for OS deployment
 Use multicast to deploy Windows over the network
with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Multicast is a network optimization method that you can use when multiple clients are likely to download the
same OS image at the same time. When you use multicast, multiple computers simultaneously download the OS
image as it's multicast by the distribution point. This behavior is instead of each client downloading a copy of the
image over a separate connection from the distribution point.
Deploy operating systems over the network by using multicast in the following OS deployment scenarios:
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Complete the steps in one of these OS deployment scenarios. Then use the following sections to support
multicast.

Configure distribution points for multicast

To use multicast, configure at least one distribution point to support multicast. For more information, see Install
and configure distribution points.
For a list of ports required to support multicast, see Ports.

Prepare an OS image for multicast

You need to configure the OS image to support multicast. For more information, see Prepare the OS image for
multicast deployments.

Deploy the task sequence

Deploy the OS to a target collection. For more information, see Deploy a task sequence.

Next steps
User experiences for OS deployment
 Create an image for an OEM in factory or a local
depot with Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Prestaged media deployments in Configuration Manager let you deploy an OS to a computer that isn't fully
provisioned. The prestaged media is a Windows image (WIM) file. The manufacturer (OEM) can install it on a bare-
metal computer, or you can use it in a staging center that's separate from your production environment.
This method of deployment can reduce network traffic because the boot image and OS image are already on the
destination computer. You can specify applications, packages, and driver packages to also include in the prestaged
media. After it installs the OS on the computer, the task sequence first checks the prestaged cache for applications,
packages, or driver packages. If it can't find the necessary content, or there is a newer revision available online, the
task sequence downloads the content from a distribution point.
Use prestaged media in the following OS deployment scenarios:
Install a new version of Windows on a new computer (bare metal)
Replace an existing computer and transfer settings
Complete the steps in one of these OS deployment scenarios. Then use the following sections to prepare for and
create the prestaged media.

Configure deployment settings

On the Deployment Settings page of the deployment, for the Make available to the following setting, select
one of the following options:
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)

Create the prestaged media

Create the prestaged media file to send to the OEM or your local depot. For more information, see Create
prestaged media with Configuration Manager.

Send the prestaged media file

Send the media to the OEM or your local depot to prestage on the computers. They apply the image file to a
formatted hard disk on the computer.

Deliver the computer

When you deliver the computer to a user, and turn it on for the first time:
1. The computer starts with the prestaged boot image.
2. It checks a hash on the prestaged media to make sure it's valid.
3. The computer connects to the management point for available task sequences to complete the process.

Next steps
User experiences for OS deployment
 Create a task sequence for non-OS deployments
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Task sequences in Configuration Manager are used to automate different kinds of tasks within your environment.
These tasks are primarily designed and tested for deploying operating systems. Configuration Manager has many
other features that should be the primary technology that you use for the following scenarios:
Application installation

NOTE
Starting in version 2002, install complex applications using task sequences via the application model. Add a
deployment type to an app that's a task sequence, either to install or uninstall the app. For more information, see
Create Windows applications.

Software updates installation

Setting configuration
Also consider other Microsoft System Center automation technologies, such as Orchestrator and Service
Management Automation.
The power of task sequences lies in their flexibility and how you use them. They can configure client settings,
distribute software, update drivers, edit user states, and do other tasks independent of OS deployment. You can
create a custom task sequence to add any number of tasks. The use of custom task sequences for non-OS
deployment is supported in Configuration Manager. However, if a task sequence results in unwanted or
inconsistent results, look at ways to simplify the operation:
Use simpler steps
Divide the actions across multiple task sequences
Take a phased approach to creating and testing the task sequence

Supported steps
The following steps are supported for use in a non-OS deployment custom task sequence:
Check Readiness
Connect To Network Folder
Download Package Content
Install Application
Install Package
Install Software Updates
Restart Computer
Run Command Line
Run PowerShell Script
 Run Task Sequence
Set Dynamic Variables
Set Task Sequence Variable

Next steps
Create a custom task sequence
 Deploy Windows To Go with Configuration Manager
9/4/2020 • 26 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This topic provides the steps to provision Windows To Go in Configuration Manager. Windows To Go is an
enterprise feature of Windows 8 that enables the creation of a Windows To Go workspace that can be booted from
a USB-connected external drive on computers that meet the Windows 7 or Windows 8 certification requirements,
regardless of the operating system running on the computer. Windows To Go workspaces can use the same image
enterprises use for their desktops and laptops and can be managed the same way.
For more information about Windows To Go, see Windows To Go feature overview.

Provision Windows To Go
Windows To Go is an operating system stored on a USB-connected external drive. You can provision the Windows
To Go drive much like you provision other operating system deployments. However, because Windows To Go is
designed to be a user-centric and highly mobile solution, you must take a slightly different approach to
provisioning these drives.
At a high level, Windows To Go is a two-phased deployment that allows you to configure the Windows To Go
device and prestage content for the operating system deployment. You can achieve this with minimal impact to the
user and limit downtime for the user's computer. After you prestage the computer, you must complete the
provisioning process to ensure the computer is ready for the user. The provisioning process is similar to the current
operating system deployment process. The following lists the general workflow to prestage content and provision
Windows To Go:
1. Prerequisites to provision Windows To Go
2. Create prestaged media
3. Create a Windows To Go Creator package
4. Update the task sequence to enable BitLocker for Windows To Go
5. Deploy the Windows To Go Creator package and task sequence
6. User runs the Windows To Go Creator
7. Configuration Manager configures and stages the Windows To Go drive
8. User logs in to Windows 8
Prerequisites to provision Windows To Go
Before you provision Windows To Go, you must complete the following in Configuration Manager:
Distribute a boot image to a distribution point
Before you create prestaged media, you must distribute the boot image to a distribution point.
 NOTE
Boot images are used to install the operating system on the destination computers in your Configuration Manager
environment. They contain a version of Windows PE that installs the operating system, as well as any additional
device drivers that are required. Configuration Manager provides two boot images: One to support x86 platforms
and one to support x64 platforms. You can also create your own boot images. For more information, see Manage
boot images.

Distribute the Windows 8 operating system image to a distribution point

Before you create prestaged media, you must distribute the Windows 8 operating system image to a
distribution point.

NOTE
Operating system images are .WIM format files and represent a compressed collection of reference files and folders
that are required to successfully install and configure an operating system on a computer. For more information, see
Manage operating system images.

Create a Task Sequence to Deploy Windows 8

You must create a task sequence for a Windows 8 deployment that you will reference when you create
prestaged media. For more information, see Manage task sequences to automate tasks.
Create prestaged media
Prestaged media contains the boot image used to start the destination computer and the operating system image
that is applied to the destination computer. The computer that you provision with prestaged media can be started
by using the boot image. The computer can then run an existing operating system deployment task sequence to
install a complete operating system deployment. The task sequence that deploys the operating system is not
included in the media.
You can add content, such as applications and device drivers, in addition to the operating system image and boot
image during the prestage phase. This reduces the time it takes to deploy an operating system and reduces
network traffic because the content is already on the drive.
Use the following procedure to create the prestaged media.
To create prestaged media
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, expand Operating Systems , and then click Task Sequences .
3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task
Sequence Media Wizard.
4. On the Select Media Type page, specify the following information, and then click Next .
Select Prestaged media .
Select Allow unattended operating system deployment to boot to the Windows To Go
deployment with no user interaction.
 IMPORTANT
When you use this option with the SMSTSPreferredAdvertID custom variable (set later in this procedure), no
user interaction is required and the computer will automatically boot to the Windows To Go deployment
when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured
for password protection. If you use the Allow unattended operating system deployment setting
without configuring the SMSTSPreferredAdvertID variable, an error will occur when you deploy the task
sequence.

5. On the Media Management page, specify the following information, and then click Next .
Select Dynamic media if you want to allow a management point to redirect the media to another
management point, based on the client location in the site boundaries.
Select Site-based media if you want the media to contact only the specified management point.
6. On the Media Proper ties page, specify the following information, and then click Next .
Created by : Specify who created the media.
Version : Specify the version number of the media.
Comment : Specify a unique description of what the media is used for.
Media file : Specify the name and path of the output files. The wizard writes the output files to this
location. For example: \\ser vername\folder\outputfile.wim
7. On the Security page, specify the following information, and then click Next .
Select Enable unknown computer suppor t to allow the media to deploy an operating system to a
computer that is not managed by Configuration Manager. There is no record of these computers in
the Configuration Manager database. Unknown computers include the following:
A computer where the Configuration Manager client is not installed
A computer that is not imported into Configuration Manager
A computer that is not discovered by Configuration Manager
Select Protect the media with a password and enter a strong password to help protect the media
from unauthorized access. When you specify a password, the user must provide that password to use
the prestaged media.

IMPORTANT
As a security best practice, always assign a password to help protect the prestaged media.

NOTE
When you protect the prestaged media with a password, the user is prompted for the password even when
the media is configured with the Allow unattended operating system deployment setting.

For HTTP communications, select Create self-signed media cer tificate , and then specify the start
and expiration date for the certificate.
For HTTPS communications, select Impor t PKI cer tificate , and then specify the certificate to import
and its password.
 For more information about this client certificate that is used for boot images, see PKI certificate
requirements.
User Device Affinity : To support user-centric management in Configuration Manager, specify how
you want the media to associate users with the destination computer. For more information about
how operating system deployment supports user device affinity, see Associate users with a
destination computer.
Specify Allow user device affinity with auto-approval if you want the media to
automatically associate users with the destination computer. This functionality is based on the
actions of the task sequence that deploys the operating system. In this scenario, the task
sequence creates a relationship between the specified users and destination computer when it
deploys the operating system to the destination computer.
Specify Allow user device affinity pending administrator approval if you want the
media to associate users with the destination computer after approval is granted. This
functionality is based on the scope of the task sequence that deploys the operating system. In
this scenario, the task sequence creates a relationship between the specified users and the
destination computer, but waits for approval from an administrative user before the operating
system is deployed.
Specify Do not allow user device affinity if you do not want the media to associate users
with the destination computer. In this scenario, the task sequence does not associate users with
the destination computer when it deploys the operating system.
8. On the Task Sequence page, specify the Windows 8 task sequence that you created in the previous section.
9. On the Boot image page, specify the following information, and then click Next .

IMPORTANT
The architecture of the boot image that is distributed must be appropriate for the architecture of the destination
computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image. For Windows 8 certified computers in EFI mode, you
must use an x64 boot image.

Boot image : Specify the boot image to start the destination computer.
Distribution point : Specify the distribution point that hosts the boot image. The wizard retrieves the
boot image from the distribution point and writes it to the media.

NOTE
The administrative user must have Read access rights to the boot image content on the distribution point.
For more information, see Package access account.

If you selected Site-based media on the Media Management page of this wizard, in the
Management point box, specify a management point from a primary site.
If you selected Dynamic media on the Media Management page of the wizard, in the Associated
management points box, specify the primary site management points to use and a priority order
for the initial communications.
10. On the Images page, specify the following information, and then click Next .
Image package : Specify the package that contains the Windows 8 operating system image.
 Image index : Specify the image to deploy if the package contains multiple operating system images.
Distribution point : Specify the distribution point that hosts the operating system image package.
The wizard retrieves the operating system image from the distribution point and writes it to the
media.

NOTE
The administrative user must have Read access rights to the operating system image content on the
distribution point. For more information, see Package access account.

11. On the Select Application page, select application content to include in the media file, and then click Next .
12. On the Select Package page, select additional package content to include in the media file, and then click
Next .
13. On the Select Driver Package page, select driver package content to include in the media file, and then
click Next .
14. On the Distribution Points page, select one or more distribution points that contain the content required
by the task sequence, and then click Next .
15. On the Customization page, specify the following information, and then click Next .
Variables : Specify the variables that the task sequence uses to deploy the operating system. For
Windows To Go, use the SMSTSPreferredAdvertID variable to automatically select the Windows To Go
deployment by using the following format:
SMSTSPreferredAdvertID = {DeploymentID}, where DeploymentID is the deployment ID associated
with the task sequence that you will use to complete the provisioning process for the Windows To Go
drive.

TIP
When you use this variable with a task sequence that is set to run unattended (set earlier in this procedure),
no user interaction is required and the computer automatically boots to the Windows To Go deployment
when it detects a Windows To Go drive. The user is still prompted for a password if the media is configured
for password protection.

Prestar t commands : Specify any prestart commands that you want to run before the task sequence
runs. Prestart commands can be a script or executable that can interact with the user in Windows PE
before the task sequence runs to install the operating system. Configure the following for the
Windows To Go deployment:
OSDBitLockerPIN : BitLocker for Windows To Go requires a passphrase. Set the
OSDBitLockerPIN variable as part of a prestart command to set the BitLocker passphrase for
the Windows To Go drive.

WARNING
After BitLocker is enabled for the passphrase, the user must enter the passphrase each time the
computer boots to the Windows To Go drive.

SMSTSUDAUsers : Specifies the primary user of the destination computer. Use this variable
to collect the user name, which can then be used to associate the user and device. For more
 information, see Associate users with a destination computer.

TIP
To retrieve the username, you can create an input box as part of the prestart command, have the user
enter their username, and then set the variable with the value. For example, you can add the following
lines to the prestart command script file:
UserID = inputbox("Enter Username" ,"Enter your username:","",400,0)

env("SMSTSUDAUsers") = UserID

For more information about how to create a script file to use as your prestart command, see
Prestart commands for task sequence media.
16. Complete the wizard.

NOTE
It can take an extended period of time for the wizard to complete the prestaged media file.

Create a Windows To Go Creator package

As part of the Windows To Go deployment, you must create a package to deploy the prestage media file. The
package must include the tool that configures the Windows To Go drive and extracts the prestaged media to the
drive. Use the following procedure to create the Windows To Go Creator package.
To create the Windows To Go Creator package
1. On the server to host the Windows To Go Creator package files, create a source folder for the package
source files.

NOTE
The computer account of the site server must have Read access rights to the source folder.

2. Copy the prestaged media file that you created in the Create prestaged media section to the package source
folder.
3. Copy the Windows To Go Creator tool (WTGCreator.exe) to the package source folder. The creator tool is
available on any primary site server at the following location:
<ConfigMgrInstallationFolder>\OSD\Tools\WTG\Creator.
4. Create a package and program by using the Create Package and Program Wizard.
5. In the Configuration Manager console, click Software Librar y .
6. In the Software Librar y workspace, expand Application Management , and then click Packages .
7. On the Home tab, in the Create group, click Create Package .
8. On the Package page, specify the name and description of the package. For example, enter Windows To
Go for the package name and specify Package to configure a Windows To Go drive using
Configuration Manager for the package description.
9. Select This package contains source files , specify the path to the package source folder that you created
in step 1, and then click Next .
10. On the Program Type page, select Standard program , and then click Next .
11. On the Standard Program page, specify the following:
Name : Specify the name of the program. For example, type Creator for the program name.
Command Line : Type WTGCreator.exe /wim:PrestageName.wim , where PrestageName is the
name of prestaged file that you created and copied to the package source folder for the Windows To
Go Creator package.
Optionally, you can add the following options:
enableBootRedirect : command-line option to change the Windows To Go startup options to
allow boot redirection. When you use this option, the computer will boot from USB without
having to change the boot order in the computer firmware or have the user select from a list of
boot options during startup. If a Windows To Go drive is detected, the computer boots to that
drive.
Run : Specify Normal to run the program based on the system and program defaults.
Program can run : Specify whether the program can run only when a user is logged on.
Run mode : Specify whether the program will run with the logged on users permissions or with
administrative permissions. The Windows To Go Creator requires elevated permissions to run.
Select Allow users to view and interact with the program installation , and then click Next .
12. On the Requirements page, specify the following:
Platform requirements : Select the applicable Windows 8 platforms to allow provisioning.
Estimated disk space : Specify the size of the package source folder for the Windows To Go Creator.
Maximum allowed run time (minutes) : Specifies the maximum time that the program is expected
to run on the client computer. By default, this value is set to 120 minutes.

IMPORTANT
If you are using maintenance windows for the collection on which this program is run, a conflict might occur if
the Maximum allowed run time is longer than the scheduled maintenance window. If the maximum run
time is set to Unknown , it will start during the maintenance window, but will continue to run until it
completes or fails after the maintenance window is closed. If you set the maximum run time to a specific
period (not set to Unknown) that exceeds the length of any available maintenance window, then that
program will not be run.

NOTE
If the value is set to Unknown , Configuration Manager sets the maximum allowed run time to 12 hours (720
minutes).

NOTE
If the maximum run time (whether set by the user or as the default value) is exceeded, Configuration
Manager stops the program if run with administrative rights is selected and Allow users to view and
interact with the program installation is not selected on the Standard Program page.

Click Next and complete the wizard.

Update the task sequence to enable BitLocker for Windows To Go
 Windows To Go enables BitLocker on an external bootable drive without the use of TPM. Therefore, you must use a
separate tool to configure BitLocker on the Windows To Go drive. To enable BitLocker, you must add an action to
the task sequence after the Setup Windows and ConfigMgr step.

NOTE
BitLocker for Windows To Go requires a passphrase. In the Create prestaged media step, you set the passphrase as part of a
prestart command by using the OSDBitLockerPIN variable.

Use the following procedure to update the Windows 8 task sequence to enable BitLocker for Windows To Go.
To update the Windows 8 task sequence to enable BitLocker
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, expand Application Management , and then click Packages .
3. On the Home tab, in the Create group, click Create Package .
4. On the Package page, specify the name and description of the package. For example, type BitLocker for
Windows To Go for the package name and specify Package to update BitLocker for Windows To Go
for the package description.
5. Select This package contains source files , specify the location for the BitLocker tool for Windows To Go,
and then click Next . The BitLocker tool is available on any Configuration Manager primary site server at the
following location: <ConfigMgrInstallationFolder>\OSD\Tools\WTG\BitLocker\
6. On the Program Type page, select Do not create a program .
7. Click Next and complete the wizard.
8. In the Configuration Manager console, click Software Librar y .
9. In the Software Librar y workspace, expand Operating Systems , and then click Task Sequences .
10. Select the Windows 8 task sequence that you reference in the prestaged media.
11. On the Home tab, in the Task Sequence group, click Edit .
12. Click the Setup Windows and ConfigMgr step, click Add , click General , and then click Run Command
Line . The Run Command Line step is added after the Setup Windows and ConfigMgr step.
13. On the Proper ties tab for the Run Command Line step, add the following:
a. Name : Specify a name for the command line, such as Enable BitLocker for Windows To Go .
b. Command Line : i386\osdbitlocker_wtg.exe /Enable /pwd:< None|AD>
Parameters:
/pwd:<None|AD> - Specify the BitLocker password recovery mode. This parameter is required
you use the /Enable parameter is in the command-line.
Select AD to configure BitLocker Drive Encryption to back up recovery information for
BitLocker-protected drives to Active Directory Domain Services (AD DS). Backing up recovery
passwords for a BitLocker-protected drive allows administrative users to recover the drive if it
is locked. This ensures that encrypted data belonging to the enterprise can always be accessed
by authorized users. When you specify None , the user is responsible for keeping a copy of the
recovery password or recovery key. If the user loses that information or neglects to decrypt
the drive before leaving the organization, administrative users cannot easily access to the
drive.
 /wait:<TRUE|FALSE> - Specify whether the task sequence waits for encryption to complete
before it completes.
c. Select Package , and then specify the package that you created at the start of this procedure.
d. On the Options tab, add the following conditions:
Condition = Task Sequence Variable
Variable = _SMSTSWTG
Condition = Equals
Value = True

NOTE
The Enable BitLocker step, which is likely after the new command-line step, is not used to enable BitLocker for
Windows To Go. However, you can keep this step in the task sequence to use for Windows 8 deployments that do
not use a Windows To Go drive.

Deploy the Windows To Go Creator package and task sequence

Windows To Go is a hybrid deployment process. Therefore, you must deploy the Windows To Go Creator package
and the Windows 8 task sequence. Use the following procedures to complete the deployment process.
To deploy the Windows To Go Creator package
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, expand Application Management , and then click Packages .
3. Select the Windows To Go package that you created in the Create a Windows To Go Creator package step.
4. On the Home tab, in the Deployment group, click Deploy .
5. On the General page, specify the following settings:
a. Software : Verify that the Windows To Go package is selected.
b. Collection : Click Browse to select the collection to which you want to deploy the Windows To Go
package.
c. Use default distribution point groups associated to this collection : Select this option if you
want to store the package content on the collections default distribution point group. If you have not
associated the selected collection with a distribution point group, this option will be unavailable.
6. On the Content page, click Add and then select the distribution points or distribution point groups to which
you want to deploy the content associated with this package and program.
7. On the Deployment Settings page, select Available for the deployment type, and then click Next .
8. On the Scheduling , configure when this package and program will be deployed or made available to client
devices.
The options on this page will differ depending on whether the deployment action is set to Available or
Required .
9. On the Scheduling , configure the following settings, and then click Next .
a. Schedule when this deployment will become available : Specify the date and time when the
package and program is available to run on the destination computer. When you select UTC , this
setting ensures that the package and program is available for multiple destination computers at the
 same time rather than at different times, according to the local time on the destination computers.
b. Schedule when this deployment will expire : Specify the date and time when the package and
program expires on the destination computer. When you select UTC , this setting ensures that the task
sequence expires on multiple destination computers at the same time rather than at different times,
according to the local time on the destination computers.
10. On the User Experience page of the Wizard, specify the following information:
Software installation : Allows the software to be installed outside of any configured maintenance
windows.
System restar t (if required to complete the installation) : Allows a device to restart outside of
configured maintenance windows when required by the software installation.
Embedded Devices : When you deploy packages and programs to Windows Embedded devices that
are write filter enabled, you can specify to install the packages and programs on the temporary
overlay and commit changes later, or commit the changes at the installation deadline or during a
maintenance window. When you commit changes at the installation deadline or during a
maintenance window, a restart is required and the changes persist on the device.
11. On the Distribution Points page, specify the following information:
Deployment options: Specify Download content from distribution point and run locally .
Allow clients to share content with other clients on the same subnet : Select this option to
reduce load on the network by allowing clients to download content from other clients on the
network that have already downloaded and cached the content. This option utilizes Windows
BranchCache and can be used on computers running Windows Vista SP2 and later.
All clients to use a fallback source location for content : Specify whether to allow clients to fall
back and use a non-preferred distribution point as the source location for content when the content
is not available on a preferred distribution point.
12. Complete the wizard.
To deploy the Windows 8 task sequence
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, expand Operating Systems , and then click Task Sequences .
3. Select the Windows 8 task sequence that you created in the Prerequisites to provision Windows To Go step.
4. On the Home tab, in the Deployment group, click Deploy .
5. On the General page, specify the following settings:
a. Task sequence : Verify that the Windows 8 task sequence is selected.
b. Collection : Click Browse to select the collection that includes all devices for which a user might
provision Windows To Go.

IMPORTANT
If the prestaged media that you created in the Create prestaged media section uses the
SMSTSPreferredAdvertID variable, you can deploy the task sequence to the All Systems collection and
specify the Windows PE only (hidden) setting on the Content page. Because the task sequence is hidden,
it will only be available to media.

c. Use default distribution point groups associated to this collection : Select this option if you
 want to store the package content on the collections default distribution point group. If you have not
associated the selected collection with a distribution point group, this option will be unavailable.
6. On the Deployment Settings page, configured the following settings, and then click Next .
Purpose : Select Available . When you deploy the task sequence to a user, the user sees the
published task sequence in the Application Catalog and can request it on demand. If you deploy the
task sequence to a device, the user will see the task sequence in Software Center and can install it on
demand.
Make available to the following : Specify whether the task sequence is available to Configuration
Manager clients, media, or PXE.

IMPORTANT
Use the Only media and PXE (hidden) setting for automated task sequence deployments. Select Allow
unattended operating system deployment and set the SMSTSPreferredAdvertID variable as part of the
prestaged media to have the computer automatically boot to the Windows To Go deployment with no user
interaction when it detects a Windows To Go drive. For more information about these prestaged media
settings, see the Create prestaged media section.

7. On the Scheduling page, configure the following settings, and then click Next .
a. Schedule when this deployment will become available : Specify the date and time when the
task sequence is available to run on the destination computer. When you select UTC , this setting
ensures that the task sequence is available for multiple destination computers at the same time
rather than at different times, according to the local time on the destination computers.
b. Schedule when this deployment will expire : Specify the date and time when the task sequence
expires on the destination computer. When you select UTC , this setting ensures that the task
sequence expires on multiple destination computers at the same time rather than at different times,
according to the local time on the destination computers.
8. On the User Experience page, specify the following information:
Show Task Sequence progress : Specify whether the Configuration Manager client displays the
progress of the task sequence.
Software installation : Specify whether the user is allowed to install software outside a configured
maintenance windows after the scheduled time.
System restar t (if required to complete the installation) : Allows a device to restart outside of
configured maintenance windows when required by the software installation.
Embedded Devices : When you deploy packages and programs to Windows Embedded devices that
are write filter enabled, you can specify to install the packages and programs on the temporary
overlay and commit changes later, or commit the changes at the installation deadline or during a
maintenance window. When you commit changes at the installation deadline or during a
maintenance window, a restart is required and the changes persist on the device.
Internet-based clients : Specify whether the task sequence is allowed to run on an Internet-based
client. Operations that install software, such as an operating system, are not supported with this
setting. Use this option only for generic script-based task sequences that perform operations in the
standard operating system.
9. On the Aler ts page, specify the alert settings that you want for this task sequence deployment, and then
click Next .
10. On the Distribution Points page, specify the following information, and then click Next .
Deployment options : Select Download content locally when needed by running task
sequence .
When no local distribution point is available, use a remote distribution point : Specify
whether clients can use distribution points that are on slow and unreliable networks to download the
content that is required by the task sequence.
Allow clients to use a fallback source location for content :
Prior to version 1610, you can select the Allow fallback source location for content check box to
allow clients outside these boundary groups to fall back and use the distribution point as a source
location for content when no other distribution points are available.
Beginning with version 1610, you no longer can configure Allow fallback source location for
content . Instead, you configure relationships between boundary groups that determine when a
client can begin to search additional boundary groups for a valid content source location.
11. Complete the wizard.
User runs the Windows To Go Creator
After you deploy the Windows To Go package and Windows 8 task sequence, the Windows To Go Creator is
available to the user. The user can go to the software catalog, or Software Center if the Windows To Go Creator was
deployed to devices, and run the Windows To Go Creator program. Once the creator package is downloaded, a
flashing icon is displayed on the task bar. When the user clicks the icon, a dialog box is displayed for the user to
select the Windows To Go drive to provision (unless the /drive command-line option is used). If the drive does not
meet the requirements for Windows To Go or if the drive does not have enough free disk space to install the image,
the creator program displays an error message. The user can verify the drive and image that will be applied from
the confirmation page. As the creator configures and prestages content to the Windows To Go drive, it displays a
progress dialog box. After the prestaging is complete, the creator displays a prompt to restart the computer to boot
to the Windows To Go drive.

NOTE
If you did not enable boot redirection as part of the command line for the creator program in the Create a Windows To Go
Creator package section, the user might be required to manually boot to the Windows To Go drive on every system restart.

Configuration Manager configures and stages the Windows To Go drive

After the computer restarts to the Windows To Go drive, the drive will boot into Windows PE and connect to the
management point to get the policy to complete the operating system deployment. Configuration Manager
configures and stages the drive. After Configuration Manager stages the drive, the user can restart the computer to
finalize the provisioning process (such as to join a domain or install apps). This process is the same for any
prestaged media.
User logs in to Windows 8
After Configuration Manager completes the provisioning process and the Windows 8 lock screen is displayed, the
user can login to the operating system.
 Manage task sequences to automate tasks
9/4/2020 • 18 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use task sequences to automate steps in your Configuration Manager environment. These steps can deploy an OS
image to a destination computer, build and capture an OS image from a set of OS installation files, and capture
and restore user state information. Task sequences are located in the Configuration Manager console. In the
Software Librar y workspace, expand Operating Systems , and select Task Sequences . The Task Sequences
node, including subfolders that you create, is replicated throughout the Configuration Manager hierarchy. For
planning information, see Planning considerations for automating tasks.

Create
Create task sequences by using the Create Task Sequence Wizard. This wizard can create the following types of
task sequences:
Task sequence to install an OS: Create the steps to install an OS. It also includes options to migrate user
data, include software updates, and install applications.
Task sequence to upgrade an OS: Create the steps to upgrade an OS. It also includes options to include
software updates and install applications.
Task sequence to capture an OS: Create the steps to build and capture an OS from a reference computer.
You can include software updates and install applications on the reference computer before capturing the
image.
Task sequence to capture and restore user state: Add steps to an existing task sequence to capture and
restore user state data.
Custom task sequence: This type doesn't add any steps to the task sequence. After you create this task
sequence, edit it, and add steps.

Edit
Modify a task sequence by adding or removing steps, adding or removing groups, or by changing the order of the
steps. For more information, see Use the task sequence editor.

Reduce the size of task sequence policy

When the size of the task sequence policy exceeds 32 MB, the client fails to process the large policy. The client then
fails to run the task sequence deployment.
The size of the task sequence as stored in the site database is smaller, but can still cause problems if too large.
When the client processes the entire task sequence policy, the expanded size can cause problems over 32 MB.
Starting in version 2006, to check for the 32-MB task sequence policy size on clients, use management insights.
To help reduce the overall size of policy of a task sequence deployment, take the following actions:
Separate functional segments into child task sequences, and use the Run Task Sequence step. Each task
sequence has a separate 32-MB limit on its policy size.
 NOTE
Reducing the total number of steps and groups in a task sequence has minimal impact on the policy size. Each step
is generally a couple of KB in policy. Moving groups of steps to a child task sequence is more impactful.

Reduce the number of software updates in deployments to the same collection as the task sequence.
Instead of entering a script in the Run PowerShell Script step, reference it via a package.
There's an 8-KB limit on the size of the task sequence environment when it runs. Review the usage of
custom task sequence variables, which can also contribute to the policy size.
As a last resort, split a complex, dynamic task sequence into separate task sequences with distinct
deployments to different collections.

Software Center properties

Use the following procedure to configure the details for the task sequence displayed in Software Center. These
details are for information only.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select Task Sequences .
2. Select the task sequence to edit, and select Proper ties .
3. On the General tab, the following settings for Software Center are available:
Restar t required : Lets the user know whether a restart is required during the installation.
Download size (MB) : Specifies how many megabytes are displayed in Software Center for the task
sequence.
Estimated run time (minutes) : Specifies the estimated run time in minutes that's displayed in
Software Center for the task sequence.

Advanced settings
Use the following procedure to configure the behavior of the task sequence on the Configuration Manager client.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select Task Sequences .
2. Select the task sequence to edit, and select Proper ties .
3. On the Advanced tab, the following settings are available:
Run another program first : Select this option to run a program in another package before the
task sequence runs. By default, this check box is cleared. You don't need to separately deploy the
program that you specify to run first.

IMPORTANT
This setting applies only to task sequences that run in the full OS. If you start the task sequence by using
PXE or boot media, Configuration Manager ignores this setting.

Package : Browse for the package that contains the program to run before this task sequence.
Program : Select the program to run before this task sequence.
 NOTE
If the selected program fails to run on a client, the task sequence doesn't run. If the selected program runs
successfully, it doesn't run again, even if the task sequence is rerun on the same client.

Suppress task sequence notifications : Select this option to hide the New Software is
available toast notification. You still see the New software icon from Software Center in the
notification area. By default, this option is disabled.
Disable this task sequence on computers where it is deployed : If you select this option,
Configuration Manager temporarily disables all deployments that contain this task sequence. It also
removes the task sequence from the list of deployments available to run. The task sequence doesn't
run until you enable it. By default, this option is disabled.
Maximum allowed run time : Specifies the maximum time in minutes that you expect the task
sequence to run on the destination computer. Use a whole number equal to or greater than zero. By
default, this value is 120 minutes.

IMPORTANT
If you're using maintenance windows for the collection to which you deploy this task sequence, a conflict
might occur if the Maximum allowed run time is longer than the scheduled maintenance window. If you
set the maximum run time to 0 , the task sequence starts during the maintenance window. It continues to
run until it completes or fails after the maintenance window is closed. As a result, task sequences with a
maximum run time set to 0 might run past the end of their maintenance windows. If you set the maximum
run time to a specific period (non-zero) that exceeds the length of any available maintenance window, then
that task sequence doesn't run. For more information, see How to use maintenance windows.

If you set the value as 0 , Configuration Manager evaluates the maximum allowed run time as 12
hours (720 minutes) for monitoring progress. However, the task sequence starts as long as the
countdown duration doesn't exceed the maintenance window value.

NOTE
When it reaches the maximum run time, if you don't allow users to interact with a required deployment, then
Configuration Manager stops the task sequence. If the task sequence itself isn't stopped, Configuration
Manager stops monitoring the task sequence after it reaches the maximum allowed run time.

Use a boot image : Use the selected boot image when the task sequence is run. Select Browse to
select a different boot image. Clear this option to disable the use of the selected boot image when
the task sequence runs.
This task sequence can run on any platform : If you select this option, Configuration Manager
doesn't check the platform type of the destination computer when the task sequence runs. This
option is selected by default.
This task sequence can only run on the specified client platforms : This option specifies the
processors, OS versions, and service packs on which this task sequence can run. When you select
this option, select at least one platform from the list. By default, no platforms are selected.
Configuration Manager uses this information when is evaluates which destination computers in a
collection receive the deployed task sequence.
 NOTE
When you run a task sequence from boot media or PXE, Configuration Manager ignores this option. The task
sequence runs as though the option This program can run on any platform is selected.

High-impact settings
Configure a task sequence as high-impact and customize the messages that users receive when they run the task
sequence.

WARNING
If you use PXE deployments, and configure device hardware with the network adapter as the first boot device, these devices
can automatically start an OS deployment task sequence without user interaction. Deployment verification doesn't manage
this configuration. While this configuration may simplify the process and reduce user interaction, it puts the device at greater
risk for accidental reimage.

Set a task sequence as a high-impact task sequence

Use the following procedure to set a task sequence as high-impact.

NOTE
Any task sequence that meets certain conditions is automatically defined as high-impact. For more information, see Manage
high-risk deployments.

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select Task Sequences .
2. Select the task sequence to edit, and select Proper ties .
3. On the User Notification tab, select This is a high-impact task sequence .
Create a custom notification for high-risk deployments
Use the following procedure to create a custom notification for high-impact deployments.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select Task Sequences .
2. Select the task sequence to edit, and select Proper ties .
3. On the User Notification tab, select Use custom text .

NOTE
You can only set user notification text when you select the option, This is a high-impact task sequence .

4. Configure the following settings:

NOTE
Each text box has a maximum limit of 255 characters.

User notification headline text : Specifies the blue text that displays on the Software Center user
 notification. For example, in the default user notification, this section contains "Confirm you want to
upgrade the operating system on this computer."
User notification message text : There are three text boxes that provide the body of the custom
notification. All text boxes require that you add text.
First text box: Specifies the main body of text, typically containing instructions for the user. For
example, in the default user notification, this section contains "Upgrading the operating
system takes time and your computer might restart several times."
Second text box: Specifies the bold text under the main body of text. For example, in the
default user notification, this section contains "This in-place upgrade installs the new
operating system and automatically migrates your apps, data, and settings."
Third text box: Specifies the last line of text under the bold text. For example, in the default
user notification, this section contains "Click Install to begin. Otherwise, click Cancel."
Example
Let's say you configure the following custom notification in properties.

The following notification message displays when the end user opens the installation from Software Center.
Performance improvements for power plans
Starting in version 1910, you can now run a task sequence with the high performance power plan. This option
improves the overall speed of the task sequence. It configures Windows to use its built-in high performance power
plan, which delivers maximum performance at the expense of higher power consumption. This option is on by
default for new task sequences.
When the task sequence starts, in most scenarios it records the currently enabled power plan. It then switches the
active power plan to the Windows default High Performance plan. If the task sequence restarts the computer, it
repeats this process. At the end of the task sequence, it resets the power plan to the stored value. This functionality
works in both Windows and Windows PE, but has no impact on virtual machines.
If the task sequence starts in Windows PE, the task sequence doesn't record the currently enabled power
plan for later reuse.
An OS deployment task sequence that reimages the computer (wipe and load) doesn't preserve the power
plan setting of the old OS. At the end of the task sequence, it restores the default Balanced power plan.

IMPORTANT
To take advantage of this new Configuration Manager feature, after you update the site, update clients to the latest version.
Also update boot images to include the latest client components. While new functionality appears in the Configuration
Manager console when you update the site and console, the complete scenario isn't functional until the client version is also
the latest.

1. In the Configuration Manager console, go to the Software Librar y workspace. Expand Operating
Systems , and select the Task Sequences node.
2. Create or choose an existing task sequence, and then select Proper ties .
3. Switch to the Performance tab.
4. Enable the option to Run as high performance power plan .

WARNING
Be cautious with this setting on low performance hardware. Running intense system operations for an extended period of
time can strain low-end hardware. Check with your hardware manufacturer for specific guidance.

Known issue
Usually, when you change settings in task sequence properties, it updates all existing deployments. When you
change this performance setting in the task sequence properties, it doesn't affect any existing deployments of the
task sequence. To enable or disable this setting for high performance, create a new task sequence deployment.

Distribute referenced content

Before clients run a task sequence that references content, distribute that content to distribution points. At any
time, you can select the task sequence and distribute its content to build a new list of reference packages for
distribution. If you make changes to the task sequence with updated content, redistribute the content before it's
available to clients. Use the following procedure to distribute the content that is referenced by a task sequence.
Process to distribute referenced content to distribution points
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. In the Task Sequence list, select the task sequence that you want to distribute.
3. On the Home tab of the ribbon, in the Deployment group, select Distribute Content . This action starts
the Distribute Content Wizard.
4. On the General page, verify that the correct task sequence is selected for distribution.
5. On the Content page, verify the content to distribute, such as the boot image referenced by the task
sequence.
6. On the Content Destination page, specify the collections, distribution point, or distribution point group
where you want to distribute the task sequence contents.

IMPORTANT
If the task sequence that you selected references content that's already distributed to a specific distribution point,
the wizard doesn't list that distribution point.

7. Complete the wizard.

You can also prestage the content referenced in the task sequence. Configuration Manager creates a compressed,
prestaged content file that contains the files, associated dependencies, and associated metadata for the content
that you select. Then you manually import the content at a site server, secondary site, or distribution point. For
more information about how to prestage content files, see Prestage content.

Deploy
For more information, see Deploy a task sequence.

Export and import

Export and import task sequences with or without their related objects. This referenced content includes the
following objects:
OS images
Boot images
Packages like the client install package
Driver packages
Applications with dependencies
Consider the following points when you export and import task sequences:
Configuration Manager doesn't export passwords in the task sequence. If you export and import a task
 sequence that contains passwords, edit the imported task sequence to reenter any passwords. Review the
following steps that may include a password:
Join Domain or Workgroup
Connect To Network Folder
Run Command Line
When you export a task sequence with the Set Dynamic Variables step, Configuration Manager doesn't
export values for variables that you configure with the Secret value setting. Reenter the values for these
variables after you import the task sequence.
When you have multiple primary sites, import task sequences at the central administration site.
Process to export task sequences
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. In the Task Sequence list, select the task sequences that you want to export. If you select more than one
task sequence, they're all stored in one export file.
3. On the Home tab of the ribbon, in the Task Sequence group, select Expor t . This action starts the Export
Task Sequence Wizard.
4. On the General page, specify the following settings:
File : Specify the location and name of the export file. If you enter the file name directly, be sure to
include the .zip extension to the file name. If you browse for the export file, the wizard automatically
adds this file name extension.
If you don't want to export task sequence dependencies, deselect the option to Expor t all task
sequence dependencies . By default, the wizard scans for all the related objects and exports them
with the task sequence. These dependencies include any for applications.
If you don't want to copy the content from the package source to the export location, deselect the
option to Expor t all content for the selected task sequences and dependencies . If you select
this option, the Import Task Sequence Wizard uses the import path as the new package source
location.
Administrator comments : Add a description of the task sequences to export.
5. Complete the wizard.
The wizard creates the following output files:
If you don't export content: a .zip file.
If you export content: a .zip file and a folder named export_files, where export is the name of the .zip file
that contains the exported content.
If you include content when you export a task sequence, make sure that you copy the .zip file and the export_files
folder, or the import fails.
Process to import task sequences
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Impor t Task Sequence . This action starts the
Import Task Sequence Wizard.
3. On the General page of the ribbon, specify the exported .zip file.
4. On the File Content page, select the action that you require for each object that you import. This page
shows all the objects that Configuration Manager found to import.
If the object has never been imported, select Create New .
If the object has been previously imported, select one of the following actions:
Ignore Duplicate (default): This action doesn't import the object. Instead, the wizard links the
existing object to the task sequence.
Over write : This action overwrites the existing object with the imported object. For
applications, you can add a revision to update the existing application or create a new
application.
5. Complete the wizard.
After you import the task sequence, edit the task sequence to specify any passwords that were in the original task
sequence. For security reasons, passwords aren't exported.

Return to previous page on failure

When you run a task sequence, and there's a failure, you can return to a previous page of the task sequence
wizard. In prior versions of Configuration Manager, you had to restart the task sequence when there was a failure.
Use the Previous button in the following scenarios:
When a computer starts in Windows PE, the task sequence bootstrap dialog might display before the task
sequence is available. When you select Next in this scenario, the final page of the task sequence displays
with a message that there are no task sequences available. Now, you can select Previous to search again
for available task sequences. You can repeat this process until the task sequence is available.
When you run a task sequence, but dependent content packages aren't available yet on distribution points,
the task sequence fails. If the missing content wasn't distributed yet, distribute it now. Or wait for the
content to be available on distribution points. Then select Previous to have the task sequence search again
for the content.

Collection and device variables

You can define custom task sequence variables for computers and collections. Variables that you define for a
computer are referred to as per-computer task sequence variables. Variables defined for a collection are referred
to as per-collection task sequence variables. For more information, see Collection and device variables.

Additional actions
You can manage task sequences by using additional actions when you select a task sequence.
Edit
For more information, see Use the task sequence editor.
Enable
Enables the task sequence so that clients can run it. You don't need to redeploy a task sequence after it's enabled.
Disable
Disables the task sequence so that it can't run on computers. You can deploy a disabled task sequence, but
computers don't run the task sequence until you enable it.
Export
For more information, see Export and import task sequences.
Copy
Makes a copy of the selected task sequence. This action is useful to create a new task sequence that's based on an
existing task sequence.
When you make a copy of a task sequence in a folder, the copy is listed in that folder until you refresh the task
sequence node. After the refresh, the copy appears in the root folder.
Refresh
Refreshes the details for the selected task sequence.
Delete
Deletes the selected task sequence.
Create Phased Deployment
For more information, see Create phased deployments.
Deploy
For more information, see Deploy a task sequence.
Distribute Content
Starts the Distribute Content Wizard to send the referenced content to distribution points.
Create Prestaged Content File
Starts the Create Prestaged Content File Wizard to prestage the task sequence content. For information about how
to create a prestaged content file, see Prestage content.
Move
Moves the selected task sequence to another folder in the Task Sequences node.
Set Security Scopes
Select the security scopes for the selected task sequence. For more information, see Security scopes.
Properties
For more information, see Configure Software Center properties and Configure advanced task sequence settings.
View
Starting in version 1902, the View action on task sequences is the default. This action lets you see the steps of the
task sequence without locking it for editing. For more information, see Use the task sequence editor.

See also
Scenarios to deploy enterprise operating systems
Use the task sequence editor
Deploy a task sequence
Task sequence steps
Collection and device variables
Create phased deployments
 Create a task sequence to install an OS
9/4/2020 • 10 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use task sequences in Configuration Manager to automatically install an OS image on a destination computer.
You create a task sequence that references a boot image used to start the destination computer, the OS image
that you want to install on the destination computer, and any other additional content, such as other applications
or software updates, that you want to install. Then you deploy the task sequence to a collection that contains the
destination computer.

Create a task sequence to install an OS

There are multiple scenarios to deploy an OS to computers in your environment. In most cases, create a task
sequence and select Install an existing image package in the Create Task Sequence Wizard. This option
creates a task sequence that installs the OS, migrates user settings, applies software updates, and installs
applications.
Prerequisites
Before you create a task sequence to install an OS, the following requirements must be in place:
Required
A boot image
An OS image
Required (if used)
Synchronize software updates
Add applications
Process to create a task sequence that installs an OS
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence . This action starts the
Create Task Sequence Wizard.
3. On the Create a New Task Sequence page, select Install an existing Image package , and then select
Next .
4. On the Task Sequence Information page, specify the following settings:
Task sequence name : Specify a name that identifies the task sequence.
Description : Specify a description of what the task sequence does.
Boot image : Specify the boot image that the task sequence uses to install the OS on the
destination computer. The boot image contains a version of Windows PE, plus any additional
required device drivers. For more information, see Manage boot images.
 IMPORTANT
The architecture of the boot image must be compatible with the hardware architecture of the destination
computer.

5. On the Install Windows page, specify the following settings:

Image package : Specify the package that contains the OS image to install. For more information,
see Manage OS images.
Image : If the OS image package has multiple images, specify the index of the OS image to install.
Par tition and format the target computer installing the operating system : Specify
whether you want the task sequence to partition and format the destination computer before it
installs the OS.
Product key : Specify the Windows product key, if necessary. You can specify encoded volume
license keys and standard product keys. If you use a non-encoded product key, each group of five
characters must be separated by a dash ( - ). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
Ser ver licensing mode : Specify that the server license is Per seat , Per ser ver , or that no license
is specified. If the server license is Per ser ver , also specify the maximum number of server
connections.
Specify how to handle the administrator account for the new OS:
Randomly generate the local administrator account password and disable the
account on all suppor ted platform (recommended) : Windows disables the local
administrator account after the task sequence deploys the OS image.
Enable the account and specify the local administrator password : Windows uses the
same password for the local administrator account on all computers where the task
sequence deploys the OS image.
6. On the Configure Network page, specify the following settings:
Join a workgroup : Add the destination computer to a workgroup.
Join a domain : Add the destination computer to a domain. In Domain , specify the name of the
domain.

IMPORTANT
You can browse to locate domains in the local forest, but you must specify the domain name for a remote
forest.

You can also specify an organizational unit (OU) in the Domain OU field. This setting is optional,
and specifies the LDAP X.500-distinguished name of the OU. If it doesn't already exist, Windows
creates the computer account in this OU.
Account : The user name and password for the account that has permissions to join the specified
domain. For example: domain\user or %variable%.
 IMPORTANT
If you plan to migrate either the domain settings or the workgroup settings, enter the appropriate domain
credentials.

7. On the Install Configuration Manager page, specify the Configuration Manager client package to
install on the destination computer. You can also include any installation properties.
8. On the State Migration page, specify the following information:
Capture user settings : The task sequence captures the user state. For more information about
how to capture and restore the user state, see Manage user state.
Capture network settings : The task sequence captures network settings from the destination
computer. It captures the membership of the domain or workgroup, also the network adapter
settings.
Capture Microsoft Windows settings : The task sequence captures Windows settings from the
destination computer before it installs the OS image. It captures the computer name, registered
user and organization name, and the time zone settings.
9. On the Include Updates page, specify whether to install required software updates, all software updates,
or no software updates. If you specify to install software updates, Configuration Manager installs only
those software updates that are targeted to the collections that the destination computer is a member of.
10. On the Install Applications page, specify the applications to install on the destination computer. If you
specify multiple applications, you can also specify that the task sequence continues if the installation of a
specific application fails.
11. Complete the wizard.
You can now deploy the task sequence to a collection of computers. For more information, see Deploy a task
sequence.

Pre-cache content
Starting in version 1906, you can enable this type of task sequence to pre-cache content. The pre-cache feature
for available deployments of task sequences lets clients download relevant content before a user installs the task
sequence.
For more information, see Configure pre-cache content.

Example task sequence

Use the following table as a guide as you create a task sequence that deploys an OS using an existing image. The
table helps you decide the general sequence for your task sequence steps and how to organize and structure
those task sequence steps into logical groups. The task sequence that you create may vary from this sample and
can contain more or less task sequence steps and groups.

NOTE
Use the Create Task Sequence Wizard to create this task sequence.
When you use the Create Task Sequence Wizard to create this new task sequence, some of the step names are different
than what they would be if you manually added these task sequence steps to an existing task sequence.
TA SK SEQ UEN C E GRO UP O R ST EP DESC RIP T IO N

Capture File and Settings - (New task sequence group) Create a task sequence group. A task sequence group keeps
similar task sequence steps together for better organization
and error control.

This group contains the steps needed to capture files and

settings from the operating system of a reference computer.

Capture Windows Settings Use this task sequence step to identify the Microsoft
Windows settings to capture from the reference computer.
You can capture the computer name, user and organizational
information, and the time zone settings.

Capture Network Settings Use this task sequence step to capture network settings from
the reference computer. You can capture the domain or
workgroup membership of the reference computer and the
network adapter setting information.

Capture User Files and Settings - (New task sequence Create a task sequence group within a task sequence group.
subgroup) This subgroup contains the steps needed to capture user
state data. Similar to the initial group that you added, this
subgroup keeps similar task sequence steps together for
better organization and error control.

Request User State Storage Use this task sequence step to request access to a state
migration point where the user state data is stored. You can
configure this task sequence step to capture or restore the
user state information.

Capture User Files and Settings Use this task sequence step to use the User State Migration
Tool (USMT) to capture the user state and settings from the
reference computer that will receive the task sequence
associated with this task step. You can capture the standard
options or configure which options to capture.

Release User State Storage Use this task sequence step to notify the state migration
point that the capture or restore action is complete.

Install Operating System - (New task sequence group) Create another task sequence subgroup. This subgroup
contains the steps needed to install and configure the
Windows PE environment.

Restart in Windows PE Use this task sequence step to specify the restart options for
the destination computer that receives this task sequence.
This step will display a message to the user indicating that
the computer will be restarted so that the installation can
continue.

This step uses the read-only _SMSTSInWinPE task

sequence variable. If the associated value equals false the
task sequence step continues.
TA SK SEQ UEN C E GRO UP O R ST EP DESC RIP T IO N

Partition Disk 0 This task sequence step specifies the actions necessary to
format the hard drive on the destination computer. The
default disk number is 0 .

This step uses the read-only _SMSTSClientCache task

sequence variable. This step runs if the Configuration
Manager client cache doesn't exist.

Apply Operating System Use this task sequence step to install the operating system
image onto the destination computer. This step first deletes
all files on the volume, except for any Configuration
Manager-specific control files. It then applies all volume
images contained in the WIM file to the corresponding
sequential disk volume on the target computer. You can
specify a sysprep answer file and also configure which disk
partition is used for the installation.

Apply Windows Settings Use this task sequence step to configure the Windows
settings configuration information for the destination
computer. The windows settings you can apply are user and
organizational information, product or license key
information, time zone, and the local administrator password.

Apply Network Settings Use this task sequence step to specify the network or
workgroup configuration information for the destination
computer. You can also specify if the computer uses a DHCP
server or you can statically assign the IP address information.

Apply Device Drivers Use this task sequence step to install drivers as part of the
operating system deployment. You can allow Windows Setup
to search all existing driver categories by selecting Consider
drivers from all categories or limit which driver categories
Windows Setup searches by selecting Limit driver
matching to only consider drivers in selected
categories .

This step uses the read-only _SMSTSMediaType task

sequence variable. This task sequence step runs only if the
value of the variable doesn't equal FullMedia .

Apply Driver Package Use this task sequence step to make all device drivers in a
driver package available for use by Windows setup.

Setup Operating System - (New task sequence group) Create another task sequence subgroup. This subgroup
contains the steps needed to set up the installed operating
system.

Setup Windows and ConfigMgr Use this task sequence step to install the Configuration
Manager client software. Configuration Manager installs and
registers the Configuration Manager client GUID. You can
assign the necessary installation parameters in the
Installation proper ties window.
TA SK SEQ UEN C E GRO UP O R ST EP DESC RIP T IO N

Install Updates Use this task sequence step to specify how software updates
are installed on the destination computer. The destination
computer isn't evaluated for applicable software updates until
this task sequence step runs. At that point, the destination
computer is evaluated for software updates similar to any
other Configuration Manager-managed client.

This step uses the read-only _SMSTSMediaType task

sequence variable. This task sequence step runs only if the
value of the variable doesn't equal FullMedia .

Restore User Files and Settings - (New task sequence Create another task sequence subgroup. This subgroup
subgroup) contains the steps needed to restore the user files and
settings.

Request User State Storage Use this task sequence step to request access to a state
migration point where the user state data is stored.

Restore User Files and Settings Use this task sequence step to run the User State Migration
Tool (USMT) to restore user state and settings to a
destination computer.

Release User State Storage Use this task sequence step to notify the state migration
point that the user state data is no longer needed.
 Create a task sequence to upgrade an OS in
Configuration Manager
9/4/2020 • 13 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use task sequences in Configuration Manager to automatically upgrade an OS on a destination computer. This
upgrade can be from Windows 7 or later to Windows 10, or from Windows Server 2012 or later to Windows
Server 2016. Create a task sequence that references the OS upgrade package and any other content to install, such
as applications or software updates. The task sequence to upgrade an OS is part of the Upgrade Windows to the
latest version scenario.

Prerequisites
Before you create the task sequence, the following requirements must be in place:
Required
The OS upgrade package must be available in the Configuration Manager console.
When upgrading to Windows Server 2016, select the Ignore any dismissable compatibility messages
setting in the Upgrade Operating System task sequence step. Otherwise the upgrade fails.
Required (if used)
Software updates must be synchronized in the Configuration Manager console.
Applications must be added to the Configuration Manager console.

Create a task sequence to upgrade an OS

To upgrade the OS on clients, create a task sequence and select Upgrade an operating system from upgrade
package in the Create Task Sequence Wizard. The wizard adds the task sequence steps to upgrade the OS, apply
software updates, and install applications.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select Task Sequences .
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence .
3. On the Create a New Task Sequence page of the Create Task Sequence Wizard, select Upgrade an
operating system from an upgrade package , and then select Next .
4. On the Task Sequence Information page, specify the following settings:
Task sequence name : Specify a name that identifies the task sequence.
Description : Optionally specify a description.
5. On the Upgrade the Windows Operating System page, specify the following settings:
Upgrade package : Specify the upgrade package that contains the OS upgrade source files. Verify
that you've selected the correct upgrade package by looking at the information in the Proper ties
pane. For more information, see Manage OS upgrade packages.
Edition index : If there are multiple OS edition indexes available in the package, select the desired
 edition index. By default, the wizard selects the first index.
Product key : Specify the Windows product key for the OS to install. Specify encoded volume license
keys or standard product keys. If you use a standard product key, separate each group of five
characters by a dash ( - ). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX . When the upgrade is for a
volume license edition, the product key may not be required.

NOTE
This product key can be a multiple activation key (MAK), or a generic volume licensing key (GVLK). A GVLK is
also referred to as a key management service (KMS) client setup key. For more information, see Plan for
volume activation. For a list of KMS client setup keys, see Appendix A of the Windows Server activation guide.

Ignore any dismissable compatibility messages : Select this setting if you're upgrading to
Windows Server 2016. If you don't select this setting, the task sequence fails to complete because
Windows Setup is waiting for the user to select Confirm on a Windows app compatibility dialog.
6. On the Include Updates page, specify whether to install required, all, or no software updates. Then select
Next . If you specify to install software updates, Configuration Manager installs only those updates targeted
to the collections of which the destination computer is a member.
7. On the Install Applications page, specify the applications to install on the destination computer, and then
select Next . If you select more than one application, also specify whether the task sequence should continue
if the installation of a specific application fails.
8. Complete the wizard.

IMPORTANT
When the task sequence runs on a device, the Configuration Manager client creates several scripts to control the task
sequence behavior in various scenarios. When the task sequence completes, the client doesn't remove these scripts until the
computer restarts. These script files don't contain sensitive information.

The default task sequence template for Windows 10 in-place upgrade includes additional groups with
recommended actions to add before and after the upgrade process. These actions are common among many
customers who are successfully upgrading devices to Windows 10. For more information, see recommended task
sequence steps to prepare for upgrade and for post-processing.
Starting in version 1806, this task sequence template also includes a group with recommended actions to add in
case the upgrade process fails. These actions make it easier to troubleshoot. For more information, see
recommended task sequence steps on failure.

Configure pre-cache content

The pre-cache feature for available deployments of task sequences lets clients download relevant OS upgrade
package content before a user installs the task sequence.
For more information, see Configure pre-cache content.

Recommended task sequence steps to prepare for upgrade

The default task sequence template for Windows 10 in-place upgrade includes additional groups with
recommended actions to add before the upgrade process. These actions in the Prepare for Upgrade group are
common among many customers who are successfully upgrading devices to Windows 10. If you have an existing
task sequence that doesn't already have these actions, manually add them to your task sequence in the Prepare
for Upgrade group.
Battery checks
Add steps in this group to check whether the computer is using battery, or wired power. This action requires a
custom script or utility to perform this check.
Battery check example
Use WbemTest and connect to the root\cimv2 namespace. Then run the following query:
Select BatteryStatus From Win32_Battery where BatteryStatus != 2

If it returns any results, then the device is running on battery. Otherwise, the device is connected to wired power.
Network/wired connection checks
Add steps in this group to check whether the computer is connected to a network, and isn't using a wireless
connection. This action requires a custom script or utility to perform this check.
Network check example
Use WbemTest and connect to the root\cimv2 namespace. Then run the following query:
Select * From Win32_NetworkAdapter Where NetConnectionStatus = 2 and PhysicalAdapter = 'True' and
NetConnectionID = 'Wi-Fi'

If it returns any results, then the device is running on Wi-Fi. Otherwise, the device is connected to wired network
connection.
Remove incompatible applications
Add steps in this group to remove any applications that are incompatible with this version of Windows 10. The
method to uninstall an application varies.
If the application uses Windows Installer, copy the Uninstall program command line from the Programs tab on
the Windows Installer deployment type properties of the application. Then add a Run Command Line step in this
group with the uninstall program command line. For example:
msiexec /x {150031D8-1234-4BA8-9F52-D6E5190D1CBA} /q

Remove incompatible drivers

Add steps in this group to remove any drivers that are incompatible with this version of Windows 10.
Remove/suspend third-party security
Add steps in this group to remove or suspend third-party security programs, such as antivirus.
If you're using a third-party disk encryption program, provide its encryption driver to Windows Setup with the
/ReflectDrivers command-line option. Add a Set Task Sequence Variable step to the task sequence in this group.
Set the task sequence variable to OSDSetupAdditionalUpgradeOptions . Set the value to /ReflectDrivers with
the path to the driver. This task sequence variable appends the Windows Setup command-line used by the task
sequence. Contact your software vendor for any additional guidance on this process.
Download Package Content task sequence step
Use the Download Package Content step before the Upgrade Operating System step in the following scenarios:
You use a single upgrade task sequence for both x86 and x64 platforms. Include two Download Package
Content steps in the Prepare for Upgrade group. Set conditions on each step to detect the client
architecture. This condition causes the step to download only the appropriate OS upgrade package.
Configure each Download Package Content step to use the same variable, and use the variable for the
media path on the Upgrade Operating System step.
To dynamically download an applicable driver package, use two Download Package Content steps with
conditions to detect the appropriate hardware type for each driver package. Configure each Download
Package Content step to use the same variable. Then use that variable for the Staged content value in the
 drivers section on the Upgrade Operating System step.

NOTE
Configuration Manager adds a numerical suffix to this variable name. For example, if you specify %mycontent% as a
custom variable, the client stores all referenced content in this location. When you refer to the variable in a
subsequent step, such as Upgrade Operating System , use the variable with a numerical suffix. In this example,
%mycontent01% or %mycontent02% , where the number corresponds to the order in which the Download Package
Content step lists this specific content.

Recommended task sequence steps for post-processing

After you create the task sequence, add additional steps in the Post-Processing group of the task sequence.

NOTE
This task sequence isn't linear. There are conditions on steps that can affect the results of the task sequence. This behavior
depends on whether it successfully upgrades the client computer, or if it has to roll back the client computer to the original
OS.

The default task sequence template for Windows 10 in-place upgrade includes additional groups with
recommended actions to add after the upgrade process. These actions in the Post-Processing group are common
among many customers who are successfully upgrading devices to Windows 10. If you have an existing task
sequence that doesn't already have these actions, manually add them to your task sequence in the Post-
Processing group.
Apply setup-based drivers
Add steps in this group to install setup-based drivers (.exe) from packages.
Install/enable third-party security
Add steps in this group to install or enable third-party security programs, such as antivirus.
Set Windows default apps and associations
Add steps in this group to set Windows default apps and file associations.
1. Prepare a reference computer with your desired app associations.
2. Run the following command line to export:
dism /online /Export-DefaultAppAssociations:"%UserProfile%\Desktop\DefaultAppAssociations.xml"
3. Add the XML file to a package.
4. Add a Run Command Line step in this group. Specify the package that contains the XML file, and then specify
the following command line:
dism /online /Import-DefaultAppAssociations:DefaultAppAssociations.xml

For more information, see Export or import default application associations.

Apply customizations and personalization
Add steps in this group to apply Start menu customizations, such as organizing program groups. For more
information, see Customize the Start screen.

Optional task sequence steps for rollback

When something goes wrong with the upgrade process after the computer restarts, Windows Setup rolls back the
system to the previous OS. The task sequence then continues with any steps in the Rollback group. After you
create the task sequence, add optional steps in this group as necessary. For example, reverse any changes made to
the system in the Prepare for Upgrade group, such as uninstalling incompatible software.

Recommended task sequence steps on failure

Starting in version 1806, the default task sequence template for Windows 10 in-place upgrade includes a group to
Run actions on failure . This group includes recommended actions to add in case the upgrade process fails. These
actions make it easier to troubleshoot.
Collect logs
To gather logs from the client, add steps in this group.
A common practice is to copy the log files to a network share. To establish this connection, use the Connect
to Network Folder step.
To perform the copy operation, use a custom script or utility with either the Run Command Line or Run
PowerShell Script step.
Files to collect might include the following logs:
%_SMSTSLogPath%\*.log
%SystemDrive%\$Windows.~BT\Sources\Panther\setupact.log

For more information on setupact.log and other Windows Setup logs, see Windows Setup Log files.
For more information on Configuration Manager client logs, see Configuration Manager client logs.
For more information on _SMSTSLogPath and other useful variables, see Task sequence variables.
Run diagnostic tools
To run additional diagnostic tools, add steps in this group. Automate these tools for collecting additional
information from the system right after the failure.
One such tool is Windows SetupDiag. It's a standalone diagnostic tool to obtain details about why a Windows 10
upgrade was unsuccessful.
In Configuration Manager, create a package for the tool.
Add a Run Command Line step to this group of your task sequence. Use the Package option to reference
the tool. The following string is an example Command line :
SetupDiag.exe /Output:"%_SMSTSLogPath%\SetupDiagResults.log"

TIP
Always use the most recent version of SetupDiag for the latest functionality and fixes to known issues. For more information,
see SetupDiag.

Additional recommendations
Windows documentation
Review Windows documentation to Resolve Windows 10 upgrade errors. This article also includes detailed
information about the upgrade process.
Check minimum disk space
On the default Check Readiness step, enable Ensure minimum free disk space (MB) . Set the value to at least
16384 (16 GB) for a 32-bit OS upgrade package, or 20480 (20 GB) for 64-bit.
Retry downloading policy
Use the SMSTSDownloadRetr yCount task sequence variable to retry downloading policy. Currently by default,
the client retries twice; this variable is set to two (2). If your clients aren't on a wired intranet network connection,
additional retries help the client obtain policy. Using this variable causes no negative side effect, other than delayed
failure if it can't download policy. Also increase the SMSTSDownloadRetr yDelay variable from the default 15
seconds.
Perform an inline compatibility assessment
1. Add a second Upgrade Operating System step early in the Prepare for Upgrade group.
a. Name it Upgrade assessment.
b. Specify the same upgrade package, and then enable the option to Perform Windows Setup
compatibility scan without star ting upgrade .
c. Enable Continue on error on the Options tab.
2. Immediately following this Upgrade assessment step, add a Run Command Line step. Specify the
following command line:
cmd /c exit %_SMSTSOSUpgradeActionReturnCode%

This command causes the command prompt to exit with the specified non-zero exit code, which the task
sequence considers a failure.
3. On the Options tab, add the following condition:
Task Sequence Variable _SMSTSOSUpgradeActionReturnCode not equals 3247440400

This condition means that the task sequence only runs this Run Command Line step if the return code isn't
a success code.
The return code 3247440400 is the decimal equivalent of MOSETUP_E_COMPAT_SCANONLY (0xC1900210), which
is a successful compatibility scan with no issues. If the Upgrade Assessment step succeeds and returns 3247440400 ,
the task sequence skips this Run Command Line step, and continues. If the assessment step returns any other
return code, this Run Command Line step runs. Because the command exits with a non-zero return code, the task
sequence also fails. The task sequence log and status messages include the return code from the Windows Setup
compatibility scan. For more information on _SMSTSOSUpgradeActionReturnCode , see Task sequence
variables.
For more information, see the Upgrade operating system task sequence step.
Convert from BIOS to UEFI
If you want to change the device from BIOS to UEFI during this task sequence, see Convert from BIOS to UEFI
during an in-place upgrade.
Manage BitLocker
If you're using BitLocker Disk Encryption, then by default Windows Setup automatically suspends it during upgrade.
Starting in Windows 10 version 1803, Windows Setup includes the /BitLocker command-line parameter to
control this behavior. If your security requirements necessitate keeping active disk encryption at all times, then use
the OSDSetupAdditionalUpgradeOptions task sequence variable in the Prepare for Upgrade group to
include /BitLocker TryKeepActive . For more information, see Windows Setup Command-line Options.
Remove default apps
Some customers remove default provisioned apps in Windows 10. For example, the Bing Weather app, or the
Microsoft Solitaire Collection. In some situations, these apps return after updating Windows 10. For more
information, see How to keep apps removed from Windows 10.
Add a Run Command Line step to the task sequence in the Prepare for Upgrade group. Specify a command
line similar to the following example:
cmd /c reg add
"HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.BingWeather_8wekyb3d8bbwe"
/f
 Task sequence steps to manage BIOS to UEFI
conversion
9/4/2020 • 4 minutes to read • Edit Online

Windows 10 provides many new security features that require UEFI-enabled devices. You might have newer
Windows devices that support UEFI, but are using legacy BIOS. Previously, converting a device to UEFI required you
to go to each device, repartition the hard disk, and reconfigure the firmware.
With Configuration Manager you can automate the following actions:
Prepare a hard drive for BIOS to UEFI conversion
Convert from BIOS to UEFI as part of the in-place upgrade process
Collect UEFI information as part of hardware inventory

Hardware inventory collects UEFI information

The hardware inventory class (SMS_Firmware ) and property (UEFI ) are available to help you determine whether
a computer starts in UEFI mode. When a computer is started in UEFI mode, the UEFI property is set to TRUE .
Hardware inventory enables this class by default. For more information about hardware inventory, see How to
configure hardware inventory.

Create a custom task sequence to prepare the hard drive

You can customize an OS deployment task sequence with the TSUEFIDrive variable. The Restar t Computer step
prepares a FAT32 partition on the hard drive for transition to UEFI. The following procedure provides an example of
how you can create task sequence steps to do this action.
Prepare the FAT32 partition for the conversion to UEFI
In an existing task sequence to install an OS, add a new group with steps to do the BIOS to UEFI conversion.
1. Create a new task sequence group after the steps to capture files and settings, and before the steps to install
the OS. For example, create a group after the Capture Files and Settings group named BIOS-to-UEFI .
2. On the Options tab of the new group, add a new task sequence variable as a condition. Set
_SMSTSBootUEFI not equal true . With this condition, the task sequence only runs these steps on BIOS
devices.
3. Under the new group, add the Restar t Computer task sequence step. In Specify what to run after
restar t , select The boot image assigned to this task sequence is selected . This action restarts the
computer in Windows PE.
4. On the Options tab, add a task sequence variable as a condition. Set _SMSTSInWinPE equals false . With
this condition, the task sequence doesn't run this step if the computer is already in Windows PE.
5. Add a step to start an OEM tool to convert the firmware from BIOS to UEFI. This step is typically Run
Command Line , with the command to run the OEM tool.
6. Add the Format and Par tition Disk task sequence step. In this step, configure the following options:
a. Create the FAT32 partition to convert to UEFI before the OS is installed. For Disk type , choose GPT .
b. Go to the properties for the FAT32 partition. In the Variable field, enter TSUEFIDrive . When the task
sequence detects this variable, it prepares the partition for the UEFI transition before it restarts the
computer.
 c. Create an NTFS partition that the task sequence uses to save its state and to store log files.
7. Add another Restar t Computer task sequence step. In Specify what to run after restar t , select The
boot image assigned to this task sequence is selected to start the computer in Windows PE.

TIP
By default, the EFI partition size is 500 MB. In some environments, the boot image is too large to store on this
partition. To work around this issue, increase the size of the EFI partition. For example, set it to 1 GB.

Convert from BIOS to UEFI during in-place upgrade

Windows 10 includes a simple conversion tool, MBR2GPT . It automates the process to repartition the hard disk for
UEFI-enabled hardware. You can integrate the conversion tool into the in-place upgrade process to Windows 10.
Combine this tool with your upgrade task sequence and the OEM tool that converts the firmware from BIOS to
UEFI.
Requirements
A supported version of Windows 10
Computers that support UEFI
OEM tool that converts the computer's firmware from BIOS to UEFI
Process to convert from BIOS to UEFI during an in-place upgrade task sequence
1. Create a task sequence to upgrade an OS
2. Edit the task sequence. In the Post-Processing group, make the following changes:
 a. Add the Run Command Line step. Specify the command line for the MBR2GPT tool. When run in the
full OS, configure it to covert the disk from MBR to GPT without modifying or deleting data. In
Command line , enter the following command: MBR2GPT.exe /convert /disk:0 /AllowFullOS

TIP
You can also choose to run the MBR2GPT.EXE tool when in Windows PE instead of in the full OS. Add a step to restart
the computer to Windows PE before the step to run the MBR2GPT.EXE tool. Then remove the /AllowFullOS option
from the command line.

For more information about the tool and available options, see MBR2GPT.EXE.
a. Add a step to run the OEM tool that converts the firmware from BIOS to UEFI. This step is typically
Run Command Line , with a command line to run the OEM tool.
b. Add the Restar t Computer step, and select The currently installed default operating system .
3. Deploy the task sequence.
 Create a task sequence to capture an OS
9/4/2020 • 12 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you use a task sequence to deploy an OS to a computer in Configuration Manager, the computer installs the
OS image that you specify in the task sequence. You can customize the OS image so it includes specific drivers,
applications, and software updates. First use a build and capture task sequence to build a reference computer. Then
capture the OS image from that reference computer. If you already have a reference computer available to capture,
create a custom task sequence to capture the OS.

About the build and capture task sequence

The build and capture task sequence:
Partitions and formats the reference computer
Installs the OS
Installs the Configuration Manager client
Installs applications
Applies software updates
Captures the OS from the reference computer
The packages associated with the task sequence, such as applications, must be available on distribution points
before you deploy the build and capture task sequence.

Requirements
Before you create a task sequence to install an OS, make sure the following components are in place:
Required
Boot image
OS image
Required (if used)
Driver packages that contain the necessary Windows drivers to support hardware on the reference
computer. For more information about the task sequence steps to manage drivers, see Use task sequences
to install device drivers.
Software updates
Applications

Create a build and capture task sequence

Use the following procedure to use a task sequence to build a reference computer and capture the OS.
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence to start the Create
Task Sequence Wizard.
3. On the Create a New Task Sequence page, select Build and capture a reference operating system
image .
4. On the Task Sequence Information page, specify the following settings:
Task sequence name : Specify a name that identifies the task sequence.
Description : Specify an optional description for the task sequence. For example, describe the OS
that the task sequence creates.
Boot image : Specify the boot image to use with this task sequence.

IMPORTANT
The architecture of the boot image must be compatible with the hardware architecture of the destination
computer.

5. On the Install Windows page, specify the following settings:

Image package : Specify the OS image package, which contains the required files to install the OS.
Image index : Specify the index of the OS to install in the image. If the OS image contains multiple
versions, select the version that you want to install.
Product key : If necessary, specify the product key for the Windows OS to install. You can specify
encoded volume license keys and standard product keys. If you use a non-encoded product key,
separate each group of five characters with a dash ( - ). For example: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
Ser ver licensing mode : If necessary, specify that the server license is Per seat , Per ser ver , or that
no license is specified. If the server license is Per ser ver , also specify the maximum number of
server connections.
Specify how to configure the administrator account for the deployed OS:
Randomly generate the local administrator password and disable the account on
all suppor ted platforms : Create a random password for the local administrator account.
Disable the account when the Windows is set up.
Enable the account and specify the local administrator password : Use the same
password for the local administrator account on all computers where you deploy this OS.
6. On the Configure Network page, specify the following settings:
Join a workgroup : Specify whether to add the destination computer to a workgroup when the OS
is deployed.
Join a domain : Specify whether to add the destination computer to a domain when the OS is
deployed. In Domain , specify the name of the domain.

IMPORTANT
You can browse to locate domains in the local forest. Specify the domain name for a remote forest.

You can also specify an organizational unit (OU). This setting is optional, and specifies the LDAP
X.500 distinguished name of the OU in which to create the computer account, if it doesn't already
exist.
Account : Specify the user name and password for the account that has permissions to join the
 specified domain. For example: domain\user or %variable% .

IMPORTANT
If you plan to migrate either the domain settings or the workgroup settings during the deployment, make
sure you enter the appropriate domain credentials here.

7. On the Install Configuration Manager page, specify the Configuration Manager client package. This
package contains the source files to install the Configuration Manager client. Also specify any additional
properties needed to install the client.
For more information, see About client installation properties.
8. On the Include Updates page, specify whether to install required software updates, all software updates,
or no software updates. If you specify to install software updates, Configuration Manager installs only those
software updates that are targeted to the collections that the destination computer is a member of.
9. On the Install Applications page, specify the applications to install on the destination computer. If you
specify multiple applications, you can also specify that the task sequence continues if the installation of a
specific application fails.

NOTE
The System Preparation page appears next in the wizard, but it's no longer used. Select Next to continue.

10. On the Images Proper ties page, specify the following settings for the OS image:
Created by : Specify the name of the user to note as the creator of the OS image.
Version : Specify your version number that's associated with the OS image. This attribute doesn't
need to be the OS version, as the site stores that value separately.
Description : Specify your description of the OS image.
11. On the Capture Image page, specify the following settings:
Path : Specify a shared network folder where Configuration Manager should store the output image
file (.wim). This file contains the OS image that's based on the settings you specify in this wizard. If
you specify a folder that contains an existing .WIM file, it's overwritten.
Account : Specify the Windows account that has permissions to the network share where the image
is stored.
12. Complete the wizard.
To add additional steps to the task sequence, select it, and choose Edit . For more information about how to edit a
task sequence, see Use the task sequence editor.
Deploy the task sequence to a reference computer in one of the following ways:
If the reference computer is already a Configuration Manager client, deploy the build and capture task
sequence to a collection that contains the reference computer. For more information, see Deploy a task
sequence.
If the reference computer isn't a Configuration Manager client, or if you want to manually run the task
sequence on the reference computer, use the Create Task Sequence Media Wizard to create bootable
media. For more information, see Create bootable media.
 After you capture the image, you can deploy it to other computers. For more information about how to deploy the
captured OS image, see Create a task sequence to install an OS.

Capture from an existing reference computer

When you already have a reference computer ready to capture, create a task sequence that only captures the OS
from the reference computer. Use the Capture Operating System Image task sequence step to capture one or
more images from a reference computer and store them in an image file (.wim) on the specified network share.
Start the reference computer in Windows PE with a boot image. The task sequence captures each hard drive on the
reference computer as a separate image within the .wim file. If the referenced computer has multiple drives, the
resulting .wim file contains a separate image for each volume. It only captures volumes that are formatted as NTFS
or FAT32. It skips volumes with other formats or USB volumes.
Use the following procedure to capture an OS image from an existing reference computer:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence . This action starts the
Create Task Sequence Wizard.
3. On the Create a New Task Sequence page, select Create a new custom task sequence .
4. On the Task Sequence Information page, specify a name for the task sequence. Optionally add a
description for the task sequence.
5. Specify a boot image for the task sequence. Configuration Manager uses this boot image to start the
reference computer with Windows PE. For more information, see Manage boot images.
6. Complete the wizard.
7. In the Task Sequences node, select the new task sequence. Then on the Home tab of the ribbon, in the
Task Sequence group, select Edit . This action opens the task sequence editor.
8. If the Configuration Manager client is installed on the reference computer:
Go to the Add menu, select Images , and then choose Prepare ConfigMgr Client for Capture. This step
generalizes the Configuration Manager client on the reference computer.

NOTE
The task sequence doesn't support uninstalling the Configuration Manager client.

9. Go to the Add menu, select Images , and choose Prepare Windows for Capture. This step runs Sysprep, and
then restarts the computer to the Windows PE boot image specified for the task sequence. For this action to
complete successfully, don't join the reference computer to a domain.
10. Go to the Add menu, select Images , and choose Capture Operating System Image. This step only runs
from Windows PE to capture the hard drives on the reference computer. Configure the following settings:
Name and Description : Optionally, you can change the name of the task sequence step and
provide a description.
Destination : Specify a shared network folder where the output .WIM file is stored. This file contains
the OS image based on the settings that you specify by using this wizard. If you specify a folder that
contains an existing .WIM file, it's overwritten.
Description , Version , and Created by : Optionally, provide details about the image to capture.
 Capture operating system image account : Specify the Windows account that has permissions
to the network share you specified. Select Set to specify the name of that Windows account.
Select OK to save your changes and close the task sequence editor.
Deploy the task sequence to a reference computer in one of the following ways:
If the reference computer is already a Configuration Manager client, deploy the capture task sequence to a
collection that contains the reference computer. For more information, see Deploy a task sequence.
If the reference computer isn't a Configuration Manager client, or if you want to manually run the task
sequence on the reference computer, use the Create Task Sequence Media Wizard to create capture
media. For more information, see Create capture media.
After you capture the image, you can deploy it to other computers. For more information about how to deploy the
captured OS image, see Create a task sequence to install an OS.

Example task sequence

Use the following table as a guide as you create a task sequence that builds and captures an OS image. The table
helps you decide the general sequence for your task sequence steps, and how to organize and structure those
steps into logical groups. The task sequence that you create may vary from this sample. It can contain more or less
steps and groups.

NOTE
Always use the Create Task Sequence Wizard to create this type of task sequence.
The wizard adds steps to the task sequence with slightly different names that what you'd see if you manually add the same
steps.

Group: Build the Reference Machine

This group contains the actions necessary to build a reference computer.

TA SK SEQ UEN C E ST EP DESC RIP T IO N

Restar t in Windows PE Restart the destination computer to the boot image assigned
to the task sequence. This step displays a message to the user
that the computer will be restarted so that the installation can
continue.

This step uses the read-only _SMSTSInWinPE task sequence

variable. If the associated value equals false , then the task
sequence step continues.

Par tition Disk 0 - BIOS Partition and format the hard drive on the destination
computer in BIOS mode. The default disk number is 0 .

This step uses several read-only task sequence variables. For

example, it only runs if the Configuration Manager client
cache doesn't exist, and doesn't run if the computer is
configured for UEFI.
 TA SK SEQ UEN C E ST EP DESC RIP T IO N

Par tition Disk 0 - UEFI Partition and format the hard drive on the destination
computer in UEFI mode. The default disk number is 0 .

This step uses several read-only task sequence variables. For

example, it only runs if the Configuration Manager client
cache doesn't exist, and only runs if the computer is
configured for UEFI.

Apply Operating System Install the specified OS image on the destination computer.
This step first deletes all files on the volume, other than
Configuration Manager-specific control files. It then applies all
volume images contained in the WIM file to the
corresponding sequential disk volume on the target computer.

Apply Windows Settings Configure the Windows settings for the destination computer.

Apply Network Settings Specify the network or workgroup configuration information

for the destination computer.

Apply Device Drivers Match and install drivers as part of this OS deployment. For
more information, see Auto Apply Drivers.

This step uses the read-only _SMSTSMediaType task

sequence variable. If the associated value doesn't equal
FullMedia , this step doesn't run.

Setup Windows and Configuration Manager Install the Configuration Manager client software.
Configuration Manager installs and registers the
Configuration Manager client GUID. Include any necessary
Installation proper ties .

Install Updates Specify how software updates are installed on the destination
computer. The destination computer isn't evaluated for
applicable software updates until this step runs. At that point,
the evaluation is similar to any other Configuration Manager-
managed client. For more information, see Install Software
Updates.

This step uses the read-only _SMSTSMediaType task

sequence variable. If the associated value doesn't equal
FullMedia , this step doesn't run.

Install Applications Specifies any applications to install on the reference computer.

Group: Capture the Reference Machine

This group contains the necessary steps to prepare and capture a reference computer.

TA SK SEQ UEN C E ST EP DESC RIP T IO N

Prepare Configuration Manager Client Generalize the Configuration Manager client on the reference
computer.

Prepare OS Runs Sysprep to generalize Windows. It then restarts the

computer into the Windows PE boot image specified for the
task sequence.
 TA SK SEQ UEN C E ST EP DESC RIP T IO N

Capture the Reference Machine Captures the image to the specified network share and .WIM
file.

IMPORTANT
After you capture an image from a reference computer, don't capture another OS image from the reference computer.
Registry entries are created during the initial configuration. Create a new reference computer each time that you capture the
OS image. If you plan to use the same reference computer to create future OS images, first uninstall and reinstall the
Configuration Manager client.

Next steps
Methods to deploy enterprise operating systems
 Create a task sequence to capture and restore user
state in Configuration Manager
9/4/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Use Configuration Manager task sequences to capture and restore the user state data in OS deployment scenarios.
In these scenarios, you want to retain the user state of the current OS. Depending on the type of task sequence you
create, the capture and restore steps might be automatically added as part of the task sequence. In other scenarios,
you might need to manually add the capture and restore steps to the task sequence. This article provides the steps
that you must add to an existing task sequence to capture and restore user state data.

Task sequence steps

To capture and restore the user state, add the following steps to the task sequence:
Request State Store: If you store the user state on the state migration point, you need this step.
Capture User State: This step captures the user state data. It then stores the data on either the state
migration point or the local disk using hardlinks.
Restore User State: This step restores the user state data on the destination computer. It can retrieve the
data from a state migration point or if hardlinked on the local disk.
Release State Store: If you store the user state on the state migration point, you need this step. This step
removes the data from the state migration point.
Use the following procedures to add the task sequence steps needed to capture and restore the user state. For
more information about creating a task sequence, see Manage task sequences to automate tasks.

Capture the user state

To add task sequence steps to capture the user state, use the following steps:
1. In the Task Sequence list, select a task sequence, and then click Edit .
2. If you're using a state migration point to store the user state, add the Request State Store step to the task
sequence. In the Task Sequence Editor , click Add . Point to User State , and then click Request State
Store . Configure the properties and options for this step, and then click Apply . For more information about
the available settings, see Request State Store.
3. Add the Capture User State step to the task sequence. In the Task Sequence Editor , click Add . Point to
User State , and then click Capture User State . Configure the properties and options for this step, and
then click Apply . For more information about the available settings, see Capture User State.

IMPORTANT
When you add this step to your task sequence, also set the OSDStateStorePath task sequence variable to specify
where to store the user state data. If you store the user state locally, don't specify a root folder as that can cause the
task sequence to fail. When you store the user data locally always use a folder or subfolder. For more information
about this variable, see Task sequence variables.
4. If you're using a state migration point, add the Release State Store step to the task sequence. In the Task
Sequence Editor , click Add . Point to User State , and then click Release State Store . Configure the
properties and options for this step, and then click Apply . For more information about the available
settings, see Release State Store.

IMPORTANT
The task sequence action that runs before the Release State Store step must be successful before the Release
State Store step starts.

Deploy this task sequence to capture the user state on a destination computer. For information about how to
deploy task sequences, see Deploy a task sequence.

Restore the user state

To add task sequence steps to restore the user state, use the following steps:
1. In the Task Sequence list, select a task sequence, and then click Edit .
2. Add the Restore User State step to the task sequence. In the Task Sequence Editor , click Add . Point to
User State , and then click Restore User State . This step establishes a connection to the state migration
point if necessary. Configure the properties and options for this step, and then click Apply . For more
information about the available settings, see Restore User State.

IMPORTANT
When you use the Capture User State step with the option to Capture all user profiles with standard options ,
you must select the Restore local computer user profiles setting in the Restore User State step. Otherwise
the task sequence will fail.

NOTE
If you store the user state by using local hardlinks and the restore isn't successful, you can manually delete the
hardlinks that were created to store the data. The task sequence can run the USMTUtils tool to automate this action
with a Run Command Line step. If you use USMTUtils to delete the hardlink, add a Restart Computer step after you
run USMTUtils.

3. If you're using a state migration point to store the user state, add the Release State Store step to the task
sequence. In the Task Sequence Editor , click Add . Point to User State , and then click Release State
Store . Configure the properties and options for this step, and then click Apply . For more information about
the available settings, see Release State Store.

IMPORTANT
The task sequence action that runs before the Release State Store step must be successful before the Release
State Store step starts.

Deploy this task sequence to restore the user state on a destination computer. For information about deploying
task sequences, see Deploy a task sequence.

Next steps
Monitor the task sequence deployment
 Create a custom task sequence with Configuration
Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

When you create a custom task sequence in Configuration Manager, it contains no task sequence steps. After you
create the task sequence, edit it, and add the task sequence steps you need.

Create a custom task sequence

Use the following procedure to create a custom task sequence:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence . This action starts the
Create Task Sequence Wizard.
3. On the Create a New Task Sequence page, select Create a new custom task sequence .
4. On the Task Sequence Information page, specify:
A name for the task sequence
A description of the task sequence
An optional boot image for the task sequence to use
After you complete the Create Task Sequence Wizard, Configuration Manager adds the custom task sequence to
the Task Sequences node. You can now edit this task sequence to add task sequence steps to it.

See also
For a list of available task sequence steps, see Task sequence steps.
For more information about how to edit a task sequence, see Use the task sequence editor.
Most often you'll use task sequences to automate tasks for OS deployment, but you can create a custom task
sequence to automate different kinds of tasks. For more information, see Create a task sequence for non-OS
deployments.
Starting in version 2002, install complex applications using task sequences via the application model. Add a
deployment type to an app that's a task sequence, either to install or uninstall the app. For more information, see
Create Windows applications.

Next steps
Deploy the task sequence
 Deploy a task sequence
9/4/2020 • 16 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you create a task sequence, and distribute the referenced content, deploy it to a device collection. This
action allows the task sequence to run on a device. A deployed task sequence can run automatically, or when
installed by a user of the device.

WARNING
You can manage the behavior for high-risk task sequence deployments. A high-risk deployment is a deployment that is
automatically installed and has the potential to cause unwanted results. For example, a task sequence that has a
purpose of Required that deploys an OS is considered a high-risk deployment. For more information, see Settings to
manage high-risk deployments.

Process
Use the following procedure to deploy a task sequence to the computers in a collection.

NOTE
The status messages for the task sequence deployment are displayed in the message window on a primary site, but
they aren't displayed on a central administration site.

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. In the Task Sequence list, select the task sequence that you want to deploy.
3. On the Home tab of the ribbon, in the Deployment group, select Deploy .

NOTE
If Deploy isn't available, the task sequence has a reference that's not valid. Correct the reference and then try to
deploy the task sequence again.

4. On the General page, specify the following information.

Task sequence : Specify the task sequence to deploy. By default, this box displays the selected
task sequence.
Collection : Select the collection that contains the computers to run the task sequence.
Don't deploy a task sequence that installs an OS to inappropriate collections, such as a collection
of all your data center servers. Be sure that the selected collection contains only those computers
that you want to run the task sequence.
For more information about high-risk deployments, see High-risk deployments.
Use default distribution point groups associated to this collection : Store the task
sequence content on the collection's default distribution point group. If you haven't associated
 the selected collection with a distribution point group, this option is grayed out.
Automatically distribute content for dependencies : If any referenced content has
dependencies, then the site also sends dependent content to distribution points.
Pre-download content for this task sequence : For more information, see Configure pre-
cache content.
Select Deployment Template : Save and specify a deployment template for a task sequence.

IMPORTANT
Some items aren't saved in the template. Make sure you apply the following items when you run the
deployment wizard:
Software Installation
Scheduling
Pre-download content

Comments (optional) : Specify additional information that describes this deployment of the
task sequence.
5. On the Deployment Settings page, specify the following information:
Purpose : From the drop-down list, choose one of the following options:
Available : The user sees the task sequence in Software Center and can install it on
demand.
Required : Configuration Manager automatically runs the task sequence according to the
configured schedule. If the task sequence isn't hidden, a user can still track its deployment
status. They can also use Software Center to install the task sequence before the deadline.

NOTE
If multiple users are signed into the device, package and task sequence deployments may not appear in
Software Center.

Make available to the following : Specify whether the task sequence is available to one of the
following types:
Only Configuration Manager clients
Configuration Manager clients, media, and PXE
Only media and PXE
Only media and PXE (hidden)

IMPORTANT
Use the Only media and PXE (hidden) setting for automated task sequence deployments. To have
the computer automatically boot to the deployment with no user interaction, select Allow unattended
operating system deployment and set the SMSTSPreferredAdver tID variable as part of the
media. For more information about task sequence variables, see Task sequence variables.

Send wake-up packets : If the deployment is Required and you select this option, the site
sends a wake-up packet to computers before the client runs the deployment. This packet wakes
the computer from sleep at the installation deadline time. Before using this option, computers
 and networks must be configured for Wake On LAN. For more information, see Plan how to
wake up clients.
Allow clients on a metered Internet connection to download content after the
installation deadline, which might incur additional costs : This option is only available for
Required deployments. When you have a custom task sequence that installs an application but
doesn't deploy an OS, you can specify whether to allow clients to download content after an
installation deadline when they use metered internet connections. Internet providers sometimes
charge by the amount of data that you use when you're on a metered internet connection.

NOTE
While using a metered internet connection might work for task sequences that don't deploy an OS, it's
not supported.

6. On the Scheduling page, specify the following information:

IMPORTANT
When a Windows PE client starts from PXE or boot media, the client doesn't evaluate deployment schedules.
These schedules include start, expire, and deadline times. Only configure schedules in deployments to clients
that start from the full Windows OS. Consider using other methods, such as maintenance windows, to control
active task sequences deployed to clients that start from Windows PE.

Schedule when this deployment will become available : Specify the date and time when
the task sequence is available to run on the destination computer. When you select the UTC
option, the task sequence is available for multiple computers at the same time. Otherwise the
deployment is available at different times, according to the local time on each computer.
If the start time is earlier than the required time, the client downloads the task sequence content
at the start time.
Schedule when this deployment will expire : Specify the date and time when the task
sequence expires on the destination computer. When you select the UTC option, the task
sequence expires on multiple destination computers at the same time. Otherwise the
deployment expires at different times, according to the local time on each computer.
Assignment schedule : For a Required deployment, specify when the client runs the task
sequence. You can add multiple schedules. The assignment schedule can have one of the
following configurations:
A specific date and time
Monthly, weekly, or custom recurrence pattern
As soon as possible
Log on or log off events

NOTE
If you schedule a start time for a required deployment that's earlier than the date and time when the
task sequence is available, the Configuration Manager client downloads the content at the assigned start
time. This behavior occurs even though you scheduled the task sequence to be available at a later time.

Rerun behavior : Specify when the task sequence reruns. Select one of the following options:
 Never rerun deployed program : If the client has previously run the task sequence, it
doesn't rerun. The task sequence doesn't rerun even if it originally failed or the task
sequence files have changed.
Always rerun program : The task sequence always reruns on the client when the
deployment is scheduled. It reruns even if the task sequence has already run successfully.
This setting is useful when you use recurring deployments in which the task sequence is
routinely updated.

IMPORTANT
This option is selected by default. However, it has no effect until you assign a required
deployment. A user can always rerun available deployments.

Rerun if failed previous attempt : The task sequence reruns when the deployment is
scheduled, only if it previously failed to run. This setting is useful for a required
deployment. If the last attempt to run was unsuccessful, it automatically tries to rerun
according to the assignment schedule.
Rerun if succeeded on previous attempt : The task sequence reruns only if it
previously ran successfully on the client. This setting is useful when you use recurring
deployments in which the task sequence is routinely updated, and each update requires
that the previous update is installed successfully.

NOTE
A user can rerun an available task sequence deployment. Before you deploy an available task sequence
in a production environment, first test what happens if a user reruns the task sequence multiple times.

7. On the User Experience page, specify the following information:

Allow user to run the program independently of assignments : Specify whether a user
can run a required deployment outside of the assignment schedule. This option is always
enabled for available deployments.
Show Task Sequence progress : Specify whether the Configuration Manager client displays
the progress of the task sequence.
Software installation : Specify whether the user is allowed to install software outside a
configured maintenance window after the scheduled time.
System restar t (if required to complete the installation) : Specify whether the user is
allowed to restart the computer after a software installation outside a configured maintenance
window after the assignment time.
Write filter handling for Windows Embedded devices : This setting controls the installation
behavior on Windows Embedded devices that are enabled with a write filter. Choose the option
to commit changes at the installation deadline or during a maintenance window. When you
select this option, a restart is required and the changes persist on the device. Otherwise, the
application is installed to the temporary overlay, and committed later. When you deploy a task
sequence to a Windows Embedded device, make sure the device is a member of a collection that
has a configured maintenance window.
Allow task sequence to run for client on the Internet : Specify whether the task sequence is
allowed to run on an internet-based client.
 This setting is supported for deployments of a Windows 10 in-place upgrade task sequence to
internet-based clients through the cloud management gateway (CMG). For more information, see
Deploy Windows 10 in-place upgrade via CMG.
Starting in version 2006, you can deploy a task sequence with a boot image to a device that
communicates through the CMG. The user needs to start the task sequence from Software
Center.

NOTE
When an Azure Active Directory (Azure AD)-joined client runs an OS deployment task sequence, the
client in the new OS won't automatically join Azure AD. Even though it's not Azure AD-joined, the client
is still managed.
When you run an OS deployment task sequence on an internet-based client, that's either Azure AD-
joined or uses token-based authentication, you need to specify the CCMHOSTNAME property in the
Setup Windows and ConfigMgr step.

In version 2002 and earlier, operations that require a boot media aren't supported with this
setting. Use this option only for generic software installations or script-based task sequences that
run operations in the standard OS.

NOTE
For all internet-based task sequence scenarios, start the task sequence from Software Center. They don't
support Windows PE, PXE, or task sequence media.

8. On the Aler ts page, specify the alert settings that you want for this task sequence deployment.
9. On the Distribution Points page, specify the following information:
Deployment options : For more information, see Deployment options.
When no local distribution point is available, use a remote distribution point : Specify
whether clients can use distribution points from a neighbor boundary group to download the
content that's required by the task sequence.
Allow clients to use distribution points from the default site boundar y group : Specify
if clients should download content from a distribution point in the site default boundary group,
when it isn't available from a distribution point in the current or neighbor boundary groups.

NOTE
Starting in version 1810, when a device runs a task sequence and needs to acquire content, it uses
boundary group behaviors similar to the Configuration Manager client. For more information, see Task
sequence support for boundary groups.

10. To save these settings to use again, on the Summar y tab select Save As Template . Supply a name for
the template and select the settings to save.
11. Complete the wizard.
Deployment options
These options are on the Distribution Points tab of the task sequence deployment. They're dynamic based
upon other selections in the deployment and attributes of the task sequence. You may not always see all
options.

NOTE
When you use multicast to deploy an OS, download the content to the computers either as needed or before the task
sequence runs.

Download content locally when needed by the running task sequence : Specify that clients
download content from the distribution point as it's needed by the task sequence. The client starts the
task sequence. When a step in the task sequence requires content, it's downloaded before the step runs.
Download all content locally before star ting task sequence : Specify that clients download all the
content from the distribution point before the task sequence runs. If you make the task sequence
available to PXE and boot media deployments on the Deployment Settings page, this option isn't
shown.
Access content directly from a distribution point when needed by the running task
sequence : Specify that clients run the content from the distribution point. This option is only available
when you enable all packages associated with the task sequence to use a package share on the
distribution point. To enable content to use a package share, see the Data Access tab in the Proper ties
for each package.

IMPORTANT
For greatest security, select the options to Download content locally when needed by the running task
sequence or Download all content locally before star ting task sequence . When you select either of these
options, Configuration Manager hashes the package, so that it can ensure package integrity. When you select the
option to Access content directly from a distribution point when needed by the running task sequence ,
Configuration Manager doesn't verify the package hash prior to running the specified program. Because the site can't
ensure package integrity, it's possible for users with administrative rights to alter or tamper with package contents.

Example 1: One deployment option

You deploy an OS deployment task sequence that wipes the disk and applies an image. On the Deployment
Settings page, you make it available to an option that includes media and PXE:

On the Distribution Points page, there's only one deployment option:

Download content locally when needed by the running task sequence

The option to Download all content locally before star ting task sequence isn't available because the
deployment is made available to media and PXE.
The option to Access content directly from a distribution point when needed by the running task
sequence isn't available. Not all of the referenced content uses a package share.
Example 2: Two deployment options
You deploy an OS deployment task sequence that wipes the disk and applies an image. On the Deployment
Settings page, you make it available to Only Configuration Manager clients . On the Distribution Points
page, there are two deployment options available:
Download content locally when needed by the running task sequence
Download all content locally before star ting task sequence

The option to Access content directly from a distribution point when needed by the running task
sequence isn't available. Not all of the referenced content uses a package share.
Example 3: Three deployment options
You have several packages with administrative scripts and associated content. On the Data Access tab of the
package properties, you configure all of them to Copy the content in this package to a package share
on distribution points .
You create a task sequence that only has several Install Package steps for these script packages, and the
deploy it. On the Deployment Settings page, the only option is to make available to Only Configuration
Manager clients . This option is the only available. The task sequence isn't for OS deployment, because it
doesn't have a boot image associated with it. On the Distribution Points page, there are three deployment
options available:
Download content locally when needed by the running task sequence
Download all content locally before star ting task sequence
Access content directly from a distribution point when needed by the running task sequence

Deploy Windows 10 in-place upgrade via CMG

The Windows 10 in-place upgrade task sequence supports deployment to internet-based clients managed
through the cloud management gateway (CMG). This ability allows remote users to more easily upgrade to
Windows 10 without needing to connect to the intranet.
Make sure all of the content referenced by the in-place upgrade task sequence is distributed to a content-
enabled CMG. (Enable the CMG setting: Allow CMG to function as a cloud distribution point and ser ve
content from Azure storage .) You can also use a cloud distribution point. Otherwise devices can't run the
task sequence.
When you deploy an upgrade task sequence, use the following settings:
Allow task sequence to run for client on the Internet , on the User Experience tab of the
deployment.
Choose one of the following options on the Distribution Points tab of the deployment:
Download content locally when needed by the running task sequence . Starting in
version 1910, the task sequence engine can download packages on-demand from a content-
enabled CMG or a cloud distribution point. This change provides additional flexibility with your
Windows 10 in-place upgrade deployments to internet-based devices.
 Download all content locally before star ting task sequence . In Configuration Manager
version 1906 and earlier, other options such as Download content locally when needed by
the running task sequence don't work in this scenario. The task sequence engine can't
download content from a cloud source. The Configuration Manager client must download the
content from the cloud source before starting the task sequence. You can still use this option in
version 1910 if needed to meet your requirements.
(Optional) Pre-download content for this task sequence , on the General tab of the deployment.
For more information, see Configure pre-cache content.

NOTE
Start the task sequence from Software Center. This scenario doesn't support Windows PE, PXE, or task sequence media.

High-risk deployments
When you deploy a high-risk deployment, such as an OS, the Select Collection window displays only the
custom collections that meet the deployment verification settings that are configured in the site's properties.
High-risk deployments are always limited to custom collections, collections that you create, and the built-in
Unknown Computers collection. When you create a high-risk deployment, you can't select a built-in
collection such as All Systems . To see all custom collections that contain fewer clients than the configured
maximum size, disable the option to Hide collections with a member count greater than the site's
minimum size configuration . For more information, see Settings to manage high-risk deployments.
The deployment verification settings are based on the current membership of the collection. After you deploy
the task sequence, Configuration Manager doesn't reevaluate the collection membership for the high-risk
deployment settings.
For example, let's say you set Default size to 100 and the Maximum size to 1000. When you create a high
risk deployment, the Select Collection window only displays collections that contain fewer than 100 clients.
If you clear the Hide collections with a member count greater than the site's minimum size
configuration setting, the window displays collections that contain fewer than 1000 clients.
When you select a collection that contains a site role, the following behavior applies:
If the collection contains a site system server, and you configured the deployment verification settings
to block collections with site system servers, then an error occurs. You can't continue creating the
deployment.
If one of the following criteria applies, then the Deploy Software Wizard displays a high-risk warning. To
continue, you need to agree to create a high-risk deployment. The site generates an audit status
message.
If the collection contains a site system server, and you configured the deployment verification
settings to warn on collections with site system servers
If the collection exceeds the default size value
If the collection contains a server

See also
Manage task sequences to automate tasks
 Create phased deployments with Configuration
Manager
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Phased deployments automate a coordinated, sequenced rollout of software across multiple collections. For
example, deploy software to a pilot collection, and then automatically continue the rollout based on success
criteria. Create phased deployments with the default of two phases, or manually configure multiple phases.
Create phased deployments for the following objects:
Task sequence
The phased deployment of task sequences doesn't support PXE or media installation
Application
Software update
You can't use an automatic deployment rule (ADR) with a phased deployment

Prerequisites
Security scope
Deployments created by phased deployments aren't viewable to any administrative user that doesn't have the All
security scope. For more information, see Security scopes.
Distribute content
Before creating a phased deployment, distribute the associated content to a distribution point.
Application : Select the target application in the console and use the Distribute Content action in the
ribbon. For more information, see Deploy and manage content.
Task sequence : You have to create referenced objects like the OS upgrade package before creating the task
sequence. Distribute these objects before creating a deployment. Use the Distribute Content action on
each object, or the task sequence. To view status of all referenced content, select the task sequence, and
switch to the References tab in the details pane. For more information, see the specific object type in
Prepare for OS deployment.
Software update : create the deployment package and distribute it. Use the Download Software Updates
Wizard. For more information, see Download software updates.

Phase settings
These settings are unique to phased deployments. Configure these settings when creating or editing the phases to
control the scheduling and behavior of the phased deployment process.
Starting in version 2002, use the following Windows PowerShell cmdlets to manually configure phases for
software update and task sequence phased deployments:
New-CMSoftwareUpdatePhase
New-CMTaskSequencePhase
Criteria for success of the first phase
 Deployment success percentage : Specify the percent of devices that need to successfully complete the
deployment for the first phase to succeed. By default, this value is 95%. In other words, the site considers
the first phase successful when the compliance state for 95% of the devices is Success for this deployment.
The site then continues to the second phase, and creates a deployment of the software to the next collection.
Number of devices successfully deployed : Specify the number of devices that need to successfully
complete the deployment for the first phase to succeed. This option is useful when the size of the collection
is variable, and you have a specific number of devices to show success before moving to the next phase.
Conditions for beginning second phase of deployment after success of the first phase
Automatically begin this phase after a deferral period (in days) : Choose the number of days to wait
before beginning the second phase after the success of the first. By default, this value is one day.
Manually begin the second phase of deployment : The site doesn't automatically begin the second
phase after the first phase succeeds. This option requires that you manually start the second phase. For
more information, see Move to the next phase.

NOTE
This option isn't available for phased deployments of applications.

Gradually make this software available over this period of time (in days)
Configure this setting for the rollout in each phase to happen gradually. This behavior helps mitigate the risk of
deployment issues, and decreases the load on the network that is caused by the distribution of content to clients.
The site gradually makes the software available depending on the configuration for each phase. Every client in a
phase has a deadline relative to the time the software is made available. The time window between the available
time and deadline is the same for all clients in a phase. The default value of this setting is zero, so by default the
deployment isn't throttled. Don't set the value higher than 30.
Configure the deadline behavior relative to when the software is made available
Installation is required as soon as possible : Set the deadline for installation on the device as soon as
the device is targeted.
Installation is required after this period of time : Set a deadline for installation a certain number of
days after device is targeted. By default, this value is seven days.

Automatically create a default two-phase deployment

1. Start the Create Phased Deployment wizard in the Configuration Manager console. This action varies based
on the type of software you're deploying:
Application : Go to the Software Librar y , expand Application Management , and select
Applications . Select an existing application, and then choose Create Phased Deployment in the
ribbon.
Software update : Go to the Software Librar y , expand Software Updates , and select All
Software Updates . Select one or more updates, and then choose Create Phased Deployment in
the ribbon.
This action is available for software updates from the following nodes:
Software Updates
All Software Updates
Software Update Groups
 Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and select
Task Sequences . Select an existing task sequence, and then choose Create Phased Deployment
in the ribbon.
2. On the General page, give the phased deployment a Name , Description (optional), and select
Automatically create a default two phase deployment .
3. Select Browse and choose a target collection for both the First Collection and Second Collection fields.
For a task sequence and software updates, select from device collections. For an application, select from
user or device collections. Select Next .

IMPORTANT
The Create Phased Deployment wizard doesn't notify you if a deployment is potentially high-risk. For more
information, see Settings to manage high-risk deployments and the note when you Deploy a task sequence.

4. On the Settings page, choose one option for each of the scheduling settings. For more information, see
Phase settings. Select Next when complete.
5. On the Phases page, see the two phases that the wizard creates for the specified collections. Select Next .
These instructions cover the procedure to automatically create a default two-phase deployment. The wizard
lets you add, remove, reorder, edit, or view phases for a phased deployment. For more information on these
additional actions, see Create a phased deployment with manually configured phases.
6. Confirm your selections on the Summar y tab, and then select Next to complete the wizard.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager product
and documentation while the console is being updated.

Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment

Create a phased deployment with manually configured phases

Create a phased deployment with manually configured phases for a task sequence. Add up to 10 additional phases
from the Phases tab of the Create Phased Deployment wizard.

NOTE
You can't currently manually create phases for an application. The wizard automatically creates two phases for application
deployments.

1. Start the Create Phased Deployment wizard for either a task sequence or software updates.
2. On the General page of the Create Phased Deployment wizard, give the phased deployment a Name ,
Description (optional), and select Manually configure all phases .
3. From the Phases page of the Create Phased Deployment wizard, the following actions are available:
Filter the list of deployment phases. Enter a string of characters for a case-insensitive match of the
Order, Name, or Collection columns.
Add a new phase:
a. On the General page of the Add Phase Wizard, specify a Name for the phase, and then
browse to the target Phase Collection . The additional settings on this page are the same as
when normally deploying a task sequence or software updates.
b. On the Phase Settings page of the Add Phase Wizard, configure the scheduling settings, and
select Next when complete. For more information, see Settings.

NOTE
You can't edit the phase settings, Deployment success percentage or Number of devices
successfully deployed , on the first phase. These settings only apply to phases that have a previous
phase.

c. The settings on the User Experience and Distribution Points pages of the Add Phase
Wizard are the same as when normally deploying a task sequence or software updates.
d. Review the settings on the Summar y page, and then complete the Add Phase Wizard.
Edit : This action opens the selected phase's Properties window, which has tabs the same as the pages
of the Add Phase Wizard.
Remove : This action deletes the selected phase.

WARNING
There is no confirmation, and no way to undo this action.

Move Up or Move Down : The wizard orders the phases by how you add them. The most recently
added phase is last in the list. To change the order, select a phase, and then use these buttons to
move the phase's location in the list.

IMPORTANT
Review the phase settings after changing the order. Make sure the following settings are still consistent with
your requirements for this phased deployment:
Criteria for success of the previous phase
Conditions for beginning this phase of deployment after success of the previous phase

4. Select Next . Review the settings on the Summar y page, and then complete the Create Phased Deployment
wizard.
Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequenceManualPhasedDeployment
After you create a phased deployment, open its properties to make changes:
Add additional phases to an existing phased deployment.
 If a phase isn't active, you can Edit , Remove , or Move it up or down. You can't move it before an active
phase.
When a phase is active, it's read-only. You can't edit it, remove it, or move its location in the list. The only
option is to View the properties of the phase.
An application phased deployment is always read-only.

Next steps
Manage and monitor phased deployments:
Application
Software update
Task sequence
 Manage and monitor phased deployments
9/4/2020 • 4 minutes to read • Edit Online

This article describes how to manage and monitor phased deployments. Management tasks include manually
beginning the next phase, and suspend or resume a phase.
First, you need to create a phased deployment:
Application
Software update
Task sequence

Move to the next phase

When you select the setting, Manually begin the second phase of deployment , the site doesn't automatically
start the next phase based on success criteria. You need to move the phased deployment to the next phase.
1. How to start this action varies based on the type of deployed software:
Application : Go to the Software Librar y workspace, expand Application Management , and
select Applications .
Software update : Go to the Software Librar y workspace, and then select one of the following
nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and select
Task Sequences .
2. Select the software with the phased deployment.
3. In the details pane, switch to the Phased Deployments tab.
4. Select the phased deployment, and click Move to next phase in the ribbon.

Starting in version 2002, use the following Windows PowerShell cmdlet for this task: Move-
CMPhasedDeploymentToNext.

Suspend and resume phases

You can manually suspend or resume a phased deployment. For example, you create a phased deployment for a
task sequence. While monitoring the phase to your pilot group, you notice a large number of failures. You suspend
the phased deployment to stop further devices from running the task sequence. After resolving the issue, you
resume the phased deployment to continue the rollout.
1. How to start this action varies based on the type of deployed software:
Application : Go to the Software Librar y workspace, expand Application Management , and
select Applications .
Software update : Go to the Software Librar y workspace, and then select one of the following
nodes:
Software Updates
All Software Updates
Software Update Groups
Windows 10 Servicing, All Windows 10 Updates
Office 365 Client Management, Office 365 Updates
Task sequence : Go to the Software Librar y workspace, expand Operating Systems , and select
Task Sequences . Select an existing task sequence, and then click Create Phased Deployment in
the ribbon.
2. Select the software with the phased deployment.
3. In the details pane, switch to the Phased Deployments tab.
4. Select the phased deployment, and click Suspend or Resume in the ribbon.

NOTE
Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise . For more
information, see Name change for Office 365 ProPlus. You may still see the old name in the Configuration Manager product
and documentation while the console is being updated.

Starting in version 2002, use the following Windows PowerShell cmdlets for this task:
Suspend-CMPhasedDeployment
Resume-CMPhasedDeployment

Monitor
Phased deployments have their own dedicated monitoring node, making it easier to identify phased deployments
you have created and navigate to the phased deployment monitoring view. From the Monitoring workspace,
select Phased Deployments , then double-click one of the phased deployments to see the status.
This dashboard shows the following information for each phase in the deployment:
Total devices or Total resources : How many devices are targeted by this phase.
Status : The current status of this phase. Each phase can be in one of the following states:
Deployment created : The phased deployment created a deployment of the software to the
collection for this phase. Clients are actively targeted with this software.
Waiting : The previous phase hasn't yet reached the success criteria for the deployment to continue
to this phase.
Suspended : An administrator suspended the deployment.
Progress : The color-coded deployment states from clients. For example: Success, In Progress, Error,
Requirements Not Met, and Unknown.
Success criteria tile
Use the Select Phase drop-down list to change the display of the Success Criteria tile. This tile compares the
Phase Goal against the current compliance of the deployment. With the default settings, the phase goal is 95%.
This value means that the deployment needs a 95% compliance to move to the next phase.
In the example, the phase goal is 65%, and the current compliance is 66.7%. The phased deployment automatically
moved to the second phase, because the first phase met the success criteria.
The phase goal is the same as the Deployment success percentage on the Phase Settings for the next phase.
For the phased deployment to start the next phase, that second phase defines the criteria for success of the first
phase. To view this setting:
1. Go to the phased deployment object on the software, and open the Phased Deployment Properties.
2. Switch to the Phases tab. Select Phase 2 and click View .
3. In the phase Properties window, switch to the Phase Settings tab.
4. View the value for Deployment success percentage in the Criteria for success of the previous phase
group.
For example, the following properties are for the same phase as the success criteria tile shown above where the
criteria is 65%:
PowerShell
Use the following Windows PowerShell cmdlets to manage phased deployments:
Automatically create phased deployments
New-CMApplicationAutoPhasedDeployment
New-CMSoftwareUpdateAutoPhasedDeployment
New-CMTaskSequenceAutoPhasedDeployment
Manually create phased deployments
New-CMSoftwareUpdatePhase
New-CMSoftwareUpdateManualPhasedDeployment
New-CMTaskSequencePhase
New-CMTaskSequenceManualPhasedDeployment
Get existing phased deployment objects
Get-CMApplicationPhasedDeployment
Get-CMSoftwareUpdatePhasedDeployment
Get-CMTaskSequencePhasedDeployment
Get-CMPhase
Monitor phased deployment status
Get-CMPhasedDeploymentStatus
Manage existing phased deployments
Move-CMPhasedDeploymentToNext
Resume-CMPhasedDeployment
Suspend-CMPhasedDeployment
Modify existing phased deployments
Set-CMApplicationPhasedDeployment
Set-CMSoftwareUpdatePhase
Set-CMSoftwareUpdatePhasedDeployment
Set-CMTaskSequencePhase
Set-CMTaskSequencePhasedDeployment
Remove-CMApplicationPhasedDeployment
Remove-CMSoftwareUpdatePhasedDeployment
Remove-CMTaskSequencePhasedDeployment
 Manage Windows as a service using Configuration
Manager
4/20/2020 • 21 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

In Configuration Manager, you can view the state of Windows as a Service (WaaS) in your environment. Create
servicing plans to form deployment rings, and ensure that Windows 10 systems are kept up-to-date when new
builds are released. You can also view alerts when Windows 10 clients are near end of support for their Semi-
Annual Channel build.
For more information about Windows 10 servicing options, see Overview of Windows as a Service.
Use the following sections to manage Windows as a service.

Prerequisites
To see data in the Windows 10 servicing dashboard, you must do the following actions:
Windows 10 computers must use Configuration Manager software updates with Windows Server Update
Services (WSUS) for software update management. When computers use Windows Update for Business (or
Windows Insiders) for software update management, the computer isn't evaluated in Windows 10 servicing
plans. For more information, see Integration with Windows Update for Business in Windows 10.
Use a supported WSUS version:
WSUS 10.0.14393 (role in Windows Server 2016)
WSUS 10.0.17763 (role in Windows Server 2019) (Requires Configuration Manager 1810 or later)
WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
KB 3095113 and KB 3159706 (or an equivalent update) must be installed on WSUS 6.2 and 6.3.
Enable Heartbeat Discovery. The data displayed in the Windows 10 servicing dashboard is found by using
discovery. For more information, see Configure Heartbeat Discovery.
The following Windows 10 channel and build information is discovered and stored in the following
attributes:
Operating System Readiness Branch : Specifies the operating system channel. For example, 0 =
Semi-Annual Channel - Targeted (don't defer updates), 1 = Semi-Annual Channel (defer updates), 2 =
Long-Term Servicing Channel (LTSC)
Operating System Build : Specifies the operating system build. For example, 10.0.10240 (RTM) or
10.0.10586 (version 1511)
The service connection point must be installed and configured for Online, persistent connection mode to
see data on the Windows 10 servicing dashboard. When you are in offline mode, you don't see data updates
in the dashboard until you get Configuration Manager servicing updates. For more information, see About
the service connection point.
Internet Explorer 9 or later must be installed on the computer that runs the Configuration Manager console.
Software updates must be configured and synchronized. Select the Upgrades classification and synchronize
software updates before any Windows 10 feature upgrades are available in the Configuration Manager
console. For more information, see Prepare for software updates management.
 Starting in Configuration Manager version 1902, verify the Specify thread priority for feature updates
client setting to ensure it's appropriate for your environment.
Starting in Configuration Manager version 1906, verify the Enable Dynamic Update for feature
updates client setting to ensure it's appropriate for your environment.

Windows 10 servicing dashboard

The Windows 10 servicing dashboard provides you with information about Windows 10 computers in your
environment, active servicing plans, compliance information, and so on. The data in the Windows 10 servicing
dashboard is dependent on having the Service Connection Point installed. The dashboard has the following tiles:
Windows 10 Usage tile : Provides a breakdown of public builds of Windows 10. Windows Insiders builds
are listed as other as well as any builds that aren't yet known to your site. The service connection point
downloads metadata that informs it about the Windows builds, and then this data is compared against
discovery data.
Windows 10 Rings tile : Provides a breakdown of Windows 10 by channel and readiness state. The LTSC
segment includes all LTSC versions. The first tile breaks down the specific versions, for example, Windows 10
LTSC 2015.
Create Ser vice Plan tile : Provides a quick way to create a servicing plan. You specify the name, collection
(only displays the top 10 collections by size, smallest first), deployment package (only displays the top 10
packages by most recently modified), and readiness state. Default values are used for the other settings.
Click Advanced Settings to start the Create Servicing Plan wizard where you can configure all of the
service plan settings.
Expired tile : Displays the percentage of devices that are on a build of Windows 10 that is past its end of life.
Configuration Manager determines the percentage from the metadata that the Service Connection Point
downloads and compares it against discovery data. A build that is past its end of life is no longer receiving
monthly cumulative updates, which include security updates. The computers in this category should be
upgraded to the next build version. Configuration Manager rounds up to the next whole number. For
example, if you have 10,000 computers and only one on an expired build, the tile displays 1%.
Expire Soon tile : Displays the percentage of computers that are on a build that is near end of life (within
about four months), similar to the Expired tile. Configuration Manager rounds up to the next whole number.
Aler ts tile : Displays active alerts.
Ser vice Plan Monitoring tile : Display servicing plans that you've created and a chart of the compliance
for each. This tile gives you a quick overview of the current state of the servicing plan deployments. If an
earlier deployment ring meets your expectations for compliance, then you can select a later servicing plan
(deploying ring) and click Deploy Now instead of waiting for the servicing plan rules to be triggered
automatically.
The Windows 10 Builds tile : Display is a fixed image time line that provides you an overview of the
Windows 10 builds that are currently released and gives you a general idea of when builds transition into
different states. This tile was removed starting in Configuration Manager version 1902 since more detailed
information is offered in the Product Lifecycle dashboard.

IMPORTANT
The information shown in the Windows 10 servicing dashboard (such as the support lifecycle for Windows 10 versions) is
provided for your convenience and only for use internally within your company. You should not solely rely on this information
to confirm update compliance. Be sure to verify the accuracy of the information provided to you.
Drill through required updates
(Introduced in version 1906)
You can drill through compliance statistics to see which devices require a specific Windows 10 feature update. To
view the device list, you need permission to view updates and the collections the devices belong to. To drill down
into the device list:
1. Go to Software Librar y > Windows 10 Ser vicing > All Windows 10 Updates .
2. Select any update that is required by at least one device.
3. Look at the Summar y tab and find the pie chart under Statistics .
4. Select the View Required hyperlink next to the pie chart to drill down into the device list.
5. This action takes you to a temporary node under Devices where you can see the devices requiring the update.
You can also take actions for the node such as creating a new collection from the list.

Servicing plan workflow

Windows 10 servicing plans in Configuration Manager are much like automatic deployment rules for software
updates. You create a servicing plan with the following criteria that Configuration Manager evaluates:
Upgrades classification : Only updates that are in the Upgrades classification are evaluated.
Readiness state : The readiness state defined in the servicing plan is compared with the readiness state for
the upgrade. The metadata for the upgrade is retrieved when the service connection point checks for
updates.
Time deferral : The number of days that you specify for How many days after Microsoft has
published a new upgrade would you like to wait before deploying in your environment in the
servicing plan. If the current date is after the release date plus the configured number of days, Configuration
Manager evaluates whether to include an upgrade in the deployment.
When an upgrade meets the criteria, the servicing plan adds the upgrade to the deployment package,
distributes the package to distribution points, and deploys the upgrade to the collection based on the
settings that you configure in the servicing plan. You can monitor the deployments in the Service Plan
Monitoring tile on the Windows 10 Servicing Dashboard. For more information, see Monitor software
updates.

NOTE
Windows 10, version 1903 and later was added to Microsoft Update as its own product rather than being part of the
Windows 10 product like earlier versions. This change caused you to do a number of manual steps to ensure that your
clients see these updates. We've helped reduce the number of manual steps you have to take for the new product in
Configuration Manager version 1906. For more information, see Configuring products for versions of Windows 10.

Windows 10 servicing plan

As you deploy Windows 10 Semi-Annual Channel, you can create one or more servicing plans to define the
deployment rings that you want in your environment, and then monitor them in the Windows 10 servicing
dashboard. Servicing plans use only the Upgrades software updates classification, not cumulative updates for
Windows 10. For those updates, you still need to deploy by using the software updates workflow. The end-user
experience with a servicing plan is the same as it is with software updates, including the settings that you configure
in the servicing plan.
 NOTE
You can use a task sequence to deploy an upgrade for each Windows 10 build, but it requires more manual work. You would
need to import the updated source files as an operating system upgrade package, and then create and deploy the task
sequence to the appropriate set of computers. However, a task sequence provides additional customized options, such as the
pre-deployment and post-deployment actions.

You can create a basic servicing plan from the Windows 10 servicing dashboard. After you specify the name,
collection (only displays the top 10 collections by size, smallest first), deployment package (only displays the top 10
packages by most recently modified), and readiness state, Configuration Manager creates the servicing plan with
default values for the other settings. You can also start the Create Servicing Plan wizard to configure all of the
settings. Use the following procedure to create a servicing plan by using the Create Servicing Plan wizard.

NOTE
You can manage the behavior for high-risk deployments. A high-risk deployment is a deployment that is automatically
installed and has the potential to cause unwanted results. For example, a task sequence that has a purpose of Required that
deploys Windows 10 is considered a high-risk deployment. For more information, see Settings to manage high-risk
deployments.

To create a Windows 10 servicing plan

1. In the Configuration Manager console, click Software Librar y .
2. In the Software Library workspace, expand Windows 10 Ser vicing , and then click Ser vicing Plans .
3. On the Home tab, in the Create group, click Create Ser vicing Plan . The Create Servicing Plan Wizard
opens.
4. On the General page, configure the following settings:
Name : Specify the name for the servicing plan. The name must be unique, help to describe the
objective of the rule, and identify it from others in the Configuration Manager site.
Description : Specify a description for the servicing plan. The description should provide an overview
of the servicing plan and any other relevant information that helps to identify and differentiate the
plan among others in the Configuration Manager site. The description field is optional, has a limit of
256 characters, and has a blank value by default.
5. On the Servicing Plan page, specify the Target Collection . Members of the collection receive the Windows
10 upgrades that are defined in the servicing plan.
When you deploy a high-risk deployment, such as servicing plan, the Select Collection window
displays only the custom collections that meet the deployment verification settings that are
configured in the site's properties.
High-risk deployments are always limited to custom collections, collections that you create, and the
built-in Unknown Computers collection. When you create a high-risk deployment, you can't select a
built-in collection such as All Systems . Uncheck Hide collections with a member count greater
than the site's minimum size configuration to see all custom collections that contain fewer
clients than the configured maximum size. For more information, see Settings to manage high-risk
deployments.
The deployment verification settings are based on the current membership of the collection. After you
deploy the servicing plan, the collection membership isn't reevaluated for the high-risk deployment
settings.
 For example, let's say you set Default size to 100 and the Maximum size to 1000. When you
create a high risk deployment, the Select Collection window will only display collections that
contain fewer than 100 clients. If you clear the Hide collections with a member count greater
than the site's minimum size configuration setting, the window will display collections that
contain less than 1000 clients.
When you select a collection that contains a site role, the following criteria applies:
If the collection contains a site system server and in the deployment verification settings
you configure to block collections with site system servers, then an error occurs and you
can't continue.
If the collection contains a site system server and in the deployment verification settings
you configure to warn you if collections that have site system servers, if the collection
exceeds the default size value, or if the collection contains a server, then the Deploy
Software Wizard will display a high risk warning. You must agree to create a high risk
deployment and an audit status message is created.
6. On the Deployment Ring page, configure the following settings:
Specify the Windows readiness state to which this ser vicing plan should apply : Select one
of the following options:
Semi-Annual Channel (Targeted) : In this servicing model, feature updates are available as
soon as Microsoft releases them.
Semi-Annual Channel : This servicing channel is typically used for broad deployment.
Windows 10 clients in the Semi-Annual Channel receive the same build of Windows 10 as
those devices in the targeted channel, just at a later time.
For more information about servicing channels and what options are best for you, see
Servicing channels.
How many days after Microsoft has published a new upgrade would you like to wait
before deploying in your environment : If the current date is after the release date plus the
number of days that you configure for this setting, Configuration Manager evaluates whether to
include an upgrade in the deployment.
7. On the Upgrades page, configure the search criteria to filter the upgrades that are added to the service plan.
Only upgrades that meet the specified criteria are added to the associated deployment. The following
property filters are available:
Architecture (starting in version 1810)
Language
Product Categor y (starting in version 1810)
Required

IMPORTANT
We recommend that as part of your search criteria, that you set the Required field with a value of >=1 .
Using this criteria ensures that only applicable updates are added to the service plan.

Superseded (starting in version 1810)

Title
Click Preview to view the upgrades that meet the specified criteria.
8. On the Deployment Schedule page, configure the following settings:
Schedule evaluation : Specify whether Configuration Manager evaluates the available time and
 installation deadline times by using UTC or the local time of the computer that runs the Configuration
Manager console.

NOTE
When you select local time, and then select As soon as possible for the Software available time or
Installation deadline , the current time on the computer running the Configuration Manager console is
used to evaluate when updates are available or when they are installed on a client. If the client is in a different
time zone, these actions will occur when the client's time reaches the evaluation time.

Software available time : Select one of the following settings to specify when the software updates
are available to clients:
As soon as possible : Select this setting to make the software updates that are included in the
deployment available to the client computers as soon as possible. When you create the
deployment with this setting selected, Configuration Manager updates the client policy. Then,
at the next client policy polling cycle, clients become aware of the deployment and can obtain
the updates that are available for installation.
Specific time : Select this setting to make the software updates that are included in the
deployment available to the client computers at a specific date and time. When you create the
deployment with this setting enabled, Configuration Manager updates the client policy. Then, at
the next client policy polling cycle, clients become aware of the deployment. However, the
software updates in the deployment aren't available for installation until after the configured
date and time.
Installation deadline : Select one of the following settings to specify the installation deadline for the
software updates in the deployment:
As soon as possible : Select this setting to automatically install the software updates in the
deployment as soon as possible.
Specific time : Select this setting to automatically install the software updates in the
deployment at a specific date and time. Configuration Manager determines the deadline to
install software updates by adding the configured Specific time interval to the Software
available time .

NOTE
The actual installation deadline time is the displayed deadline time plus a random amount of time up
to 2 hours. This reduces the potential impact of all client computers in the destination collection
installing the updates in the deployment at the same time.
You can configure the Computer Agent client setting Disable deadline randomization to disable
the installation randomization delay for required updates. For more information, see Computer Agent.

Delay enforcement of this deployment according to user preferences, up to the

grace period defined on the client : Select this option to honor the Grace period for
enforcement after deployment deadline (hours) client setting.
9. On the User Experience page, configure the following settings:
User notifications : Specify whether to display notification of the updates in Software Center on the
client computer at the configured Software available time and whether to display user
notifications on the client computers.
 Deadline behavior : Specify the behavior that is to occur when the deadline is reached for the
update deployment. Specify whether to install the updates in the deployment. Also specify whether to
perform a system restart after update installation regardless of a configured maintenance window.
For more information about maintenance windows, see How to use maintenance windows.
Device restar t behavior : Specify whether to suppress a system restart on servers and workstations
after updates are installed and a system restart is required to complete the installation.
Write filter handling for Windows Embedded devices : When you deploy updates to Windows
Embedded devices that are write filter enabled, you can specify to install the update on the temporary
overlay and either commit changes later or commit the changes at the installation deadline or during
a maintenance window. When you commit changes at the installation deadline or during a
maintenance window, a restart is required and the changes persist on the device.
When you deploy an update to a Windows Embedded device, make sure that the device is a
member of a collection that has a configured maintenance window.
Software updates deployment re-evaluation behavior upon restar t : To force another update
deployment evaluation cycle after restart, select the option If any update in this deployment
requires a system restar t, run updates deployment evaluation cycle after restar t .
10. On the Deployment Package page, select an existing deployment package, no deployment package, or
configure the following settings to create a new deployment package:
a. Name : Specify the name of the deployment package. This name must be unique and describes the
package content. It's limited to 50 characters.
b. Description : Specify a description that provides information about the deployment package. The
description is limited to 127 characters.
c. Package source : Specifies the location of the software update source files. Type a network path for
the source location, for example, \\ser ver\sharename\path , or click Browse to find the network
location. Create the shared folder for the deployment package source files before you continue to the
next page.
The deployment package source location that you specify cannot be used by another software
deployment package.
The SMS Provider computer account and the user that is running the wizard to download the
software updates must both have Write NTFS permissions on the download location. You should
carefully restrict access to the download location to reduce the risk of attackers tampering with the
software update source files.
You can change the package source location in the deployment package properties after
Configuration Manager creates the deployment package. But if you do so, you must first copy the
content from the original package source to the new package source location.
d. Sending priority : Specify the sending priority for the deployment package. Configuration Manager
uses the sending priority for the deployment package when it sends the package to distribution
points. Deployment packages are sent in priority order: High, Medium or Low. Packages with identical
priorities are sent in the order in which they were created. If there's no backlog, the package processes
immediately regardless of its priority.
e. Enable binar y differential replication : Enable this option if you want to use binary differential
replication.
11. On the Distribution Points page, specify the distribution points or distribution point groups that host the
update files. For more information about distribution points, see Configure a distribution point.
 NOTE
This page is available only when you create a new software update deployment package.

12. On the Download Location page, specify whether to download the update files from the Internet or from
your local network. Configure the following settings:
Download software updates from the Internet : Select this setting to download the updates from
a specified location on the Internet. This setting is enabled by default.
Download software updates from a location on the local network : Select this setting to
download the updates from a local directory or shared folder. This setting is useful when the
computer that runs the wizard doesn't have Internet access. Any computer with Internet access can
preliminarily download the updates and store them in a location on the local network that is
accessible from the computer that runs the wizard.
13. On the Language Selection page, select the languages for which the selected updates are downloaded. The
updates are downloaded only if they're available in the selected languages. Updates that aren't language-
specific are always downloaded. By default, the wizard selects the languages that you've configured in the
software update point properties. At least one language must be selected before proceeding to the next
page. When you select only languages that are not supported by an update, the download fails for the
update.
14. On the Summary page, review the settings and click Next to create the servicing plan.
After you've completed the wizard, the servicing plan will run. It adds the updates that meet the specified criteria to
a software update group, download the updates to the content library on the site server, distribute the updates to
the configured distribution points, and then deploy the software update group to clients in the target collection.

Modify a servicing plan

After you create a basic servicing plan from the Windows 10 servicing dashboard or you need to change the
settings for an existing servicing plan, you can go to properties for the servicing plan.

NOTE
You can configure settings in the properties for the servicing plan that are not available in the wizard when you create the
servicing plan. The wizard uses default settings for the settings for the following: download settings, deployment settings, and
alerts.

Use the following procedure to modify the properties of a servicing plan.

To modify the properties of a servicing plan
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Library workspace, expand Windows 10 Ser vicing , click Ser vicing Plans , and then select
the servicing plan that you want to modify.
3. On the Home tab, click Proper ties to open properties for the selected servicing plan.
The following settings are available in the servicing plan properties that weren't configured in the wizard:
Deployment Settings : On the Deployment Settings tab, configure the following settings:
Use Wake-on-L AN to wake up clients for required deployments : Specify whether to enable
Wake On LAN at the deadline to send wake-up packets to computers that require one or more
 software updates in the deployment. Any computers that are in sleep mode at the installation
deadline time are awakened so the software update installation can initiate. Clients that are in sleep
mode that don't require any software updates in the deployment aren't started. By default, this setting
isn't enabled.

WARNING
Before you can use this option, computers and networks must be configured for Wake On LAN.

Detail level : Specify the level of detail for the state messages that are reported by client computers.
Download Settings : On the Download Settings tab, configure the following settings:
Specify whether the client downloads and installs the software updates when a client is connected to
a slow network or is using a fallback content location.
Specify whether to have the client download and install the software updates from a fallback
distribution point when the content for the software updates isn't available on a preferred distribution
point.
Allow clients to share content with other clients on the same subnet : Specify whether to
enable the use of BranchCache for content downloads. For more information about BranchCache, see
Fundamental concepts for content management.
Specify whether to have clients download software updates from Microsoft Update if software
updates aren't available on distribution points.

IMPORTANT
Do not use this setting for Windows 10 Servicing updates. Configuration Manager (at least through version
1610) fails to download the Windows 10 Servicing updates from Microsoft Update.

Specify whether to allow clients to download after an installation deadline when they use metered
Internet connections. Internet providers sometimes charge by the amount of data that you send and
receive when you are on a metered Internet connection.
Aler ts : On the Alerts tab, configure how Configuration Manager and System Center Operations Manager
generate alerts for this deployment.
You can review recent software updates alerts from the Software Updates node in the Software
Librar y workspace.

Next steps
For more information, see Fundamentals of Configuration Manager as a service and Windows as a service.
 Monitor operating system deployments in
Configuration Manager
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Configuration Manager console provides the following ways to help you monitor operating system
deployment objects.

Alerts for operating system deployments

You can configure an alert in the task sequence deployment settings to notify administrative users when
compliance levels for the deployment is below the configured percentage.
After you configure the alert settings, if the specified conditions occur, Configuration Manager generates an alert.
You can review task sequence deployment alerts at the following locations:
1. Review recent alerts in the Operating Systems node in the Software Librar y workspace.
2. Manage the configured alerts in the Aler ts node in the Monitoring workspace.

Task sequence deployment status

After you deploy a task sequence, you can monitor the deployment status. Use the following procedure to monitor
the deployment status for a task sequence.
To monitor deployment status
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, click Deployments .
3. Click the task sequence for which you want to monitor the deployment status.
4. On the Home tab, in the Deployment group, click View Status .

NOTE
When an upgrade is initiated, status message 52200 is generated. This contains the user that did the upgrade.

Operating system deployment reports

There are many predefined operating system deployment reports available. They are organized in several
categories and can be used to report on specific information about state migration and task sequence
deployments. In addition to using the preconfigured reports, you can also create custom software update reports
according to the needs of your enterprise. For more information, see Operations and maintenance for reporting.

Monitor content
You can monitor content in the Configuration Manager console to review the status for all package types in
relation to the associated distribution points. This can include the content validation status for the content in the
package, the status of content assigned to a specific distribution point group, the state of content assigned to a
distribution point, and the status of optional features for each distribution point (content validation, PXE, and
multicast).
Content status monitoring
The Content Status node in the Monitoring workspace provides information about content packages. You can
review general information about the package, distribution status for the package, and detailed status information
about the package. Use the following procedure to view content status.
To monitor content status
1. In the Configuration Manager console, click Monitoring .
2. In the Monitoring workspace, expand Distribution Status , and then click Content Status . The packages
are displayed.
3. Select the package for which to view detailed status information.
4. On the Home tab, click View Status . Detailed status information for the package is displayed.
Distribution point group status
The Distribution Point Group Status node in the Monitoring workspace provides information about
distribution point groups. You can review general information about the distribution point group, such as
distribution point group status and compliance rate, as well as detailed status information for the distribution
point group. Use the following procedure to view distribution point group status.
To monitor distribution point group status
1. In the Configuration Manager console, click Monitoring .
2. In the monitoring workspace, expand Distribution Status , and then click Distribution Point Group
Status . The distribution point groups are displayed.
3. Select the distribution point group for which to view detailed status information.
4. On the Home tab, click View Status . Detailed status information for the distribution point group is
displayed.
Distribution point configuration status
The Distribution Point Configuration Status node in the Monitoring workspace provides information about
the distribution point. You can review which attributes are enabled for the distribution point, such as the PXE,
Multicast, and content validation. You can also view detailed status information for the distribution point. Use the
following procedure to view distribution point configuration status.
To monitor distribution point configuration status
1. In the Configuration Manager console, click Monitoring .
2. In the monitoring workspace, expand Distribution Status , and then click Distribution Point
Configuration Status . The distribution points are displayed.
3. Select the distribution point for which to view distribution point status information.
4. In the results pane, click the Details tab. Status information for the distribution point is displayed.
 Debug a task sequence
9/4/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Starting in version 1906, the task sequence debugger is a new troubleshooting tool. You deploy a task sequence in
debug mode to a small collection. It lets you step through the task sequence in a controlled manner to aid
troubleshooting and investigation. The debugger currently runs on the same device as the task sequence engine,
it's not a remote debugger.

NOTE
In this version of Configuration Manager, the task sequence debugger is a pre-release feature. To enable it, see Pre-release
features.

Prerequisites
Update the Configuration Manager client on the target device
Sign in to the target device as a user in the local Administrators group. The debugger only runs for
administrators.
Update the boot image associated with the task sequence to make sure it has the latest client version

Start the tool

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select Task Sequences .
2. Select a task sequence. In the Deployment group of the ribbon, select Debug .

TIP
Alternatively, set the variable TSDebugMode to TRUE on a collection or computer object to which the task
sequence is deployed. Any device that has this variable set will put any task sequence deployed to it into debug
mode.

3. Create a debug deployment. The deployment settings are the same as a normal task sequence deployment.
For more information, see Deploy a task sequence.

NOTE
You can only select a small collection for a debug deployment. It only displays device collections with 10 or less
members.

Starting in version 1910, use the new task sequence variable TSDebugOnError to automatically start the
debugger when the task sequence returns an error. For more information, see Task sequence variables -
TSDebugOnError.

Use the tool

When the task sequence runs on the device, the Task Sequence Debugger window opens similar to the following
screenshot:

The debugger includes the following controls:

Step : From the current position, run only the next step in the task sequence.

NOTE
When the task sequence is in debug mode, if a step returns a fatal error, the task sequence doesn't fail as normal. This
behavior gives you the option to retry a step after you make an external change.

Run : From the current position, run the task sequence normally to the end, the next break point, or if a step
fails. Before you use this action, make sure to set any break points with the Set Break action.
Set Current : Select a step in the debugger and then select Set Current . This action moves the current
pointer to that step. This action allows you to skip steps or move backwards.

WARNING
The debugger doesn't consider the type of step when you change the current position in the sequence. Some steps
may set task sequence variables that are required for condition evaluation by later steps. If run out of order, some
steps may fail or cause significant damage to a device. Use this option at your own risk.

Set Break : Select a step in the debugger and then select Set Break . This action adds a break point in the
 debugger. When you Run the task sequence, it stops at a break.
Before you use the Run action, set break points.
Starting in version 1910, if you create a break point in the debugger, and then the task sequence
restarts the computer, the debugger keeps your break points after restart.
In version 1906, break points aren't saved after the computer restarts, like with the Restart Computer
step. For example, if you start the debugger from Software Center for an imaging task sequence,
don't set breaks in the Windows PE phase. When the computer restarts into Windows PE, the
debugger pauses the task sequence so that you can set breaks.
Clear All Breaks : Remove all break points.
Log File : Opens the current task sequence log file, smsts.log , with CMTrace. You can see log entries when
the task sequence engine is "Waiting for the debugger."
Cmd Prompt : In Windows PE, opens a command prompt.
Cancel : Close the debugger, and fail the task sequence.
Quit : Detach and close the debugger, but the task sequence continues to run normally.
The Task Sequence Variables window shows the current values for all variables in the task sequence
environment. For more information, see Task sequence variables. If you use the Set Task Sequence Variable step
with the option to Do not display this value , the debugger doesn't display the variable value. You can't edit the
variable values in the debugger.

NOTE
Some task sequence variables are for internal use only, and not listed in the reference documentation.

The task sequence debugger continues to run after a Restart Computer step, but you need to recreate any break
points. Even though the task sequence may not require it, since the debugger requires user interaction, you need to
sign in to Windows to continue. If you don't sign in after one hour to continue debugging, the task sequence fails.
It also steps into a child task sequence with the Run Task Sequence step. The debugger window shows the steps of
the child task sequence along with the main task sequence.

Known issues
If you target both a normal deployment and debug deployment to the same device through multiple deployments,
the task sequence debugger may not launch.

See also
About task sequence steps
Task sequence variables
How to use task sequence variables
Deploy a task sequence
 Configure pre-cache content for task sequences
9/4/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The pre-cache feature for available deployments of task sequences lets clients download relevant content before
a user installs the task sequence. The client can pre-cache content for task sequences that upgrade an OS or
install an OS image.

NOTE
In version 1910, Configuration Manager enables this feature by default. In version 1906 or earlier, Configuration Manager
doesn't enable this optional feature by default. You must enable this feature before using it. For more information, see
Enable optional features from updates.

For example, you only want a single in-place upgrade task sequence for all users, and have many architectures
and languages. In previous versions, the content starts to download when the user installs an available task
sequence deployment from Software Center. This delay adds additional time before the installation is ready to
start. All content referenced in the task sequence is downloaded. This content includes the OS upgrade package
for all languages and architectures. If each upgrade package is roughly 3 GB in size, the total content is very
large.
Pre-cache content gives you the option for the client to only download the applicable content and all other
referenced content as soon as it receives the deployment. When the user clicks Install in Software Center, the
content is ready. The installation starts quickly because the content is on the local hard drive.
In Configuration Manager version 1902 and earlier, this behavior only applies to the OS upgrade package. That
package is the only content on which you specify the matching architecture or language. For example, if the task
sequence also references multiple driver packages, the client downloads them all. The task sequence engine
evaluates the conditions on the steps when the task sequence runs, not in advance. The client uses the tags on
the package properties to determine which content to pre-cache.
Starting in version 1906, you can use pre-caching to reduce bandwidth consumption of the following content
types:
OS upgrade packages
OS images
Driver packages
Packages

Configure pre-caching
There are three steps to configure the pre-cache feature:
1. Create and configure the packages
2. Create a task sequence with conditional steps
3. Deploy the task sequence and enable pre-caching
1. Create and configure the packages
The client evaluates attributes of the packages to determine which content it downloads during pre-caching.
OS upgrade package
Create OS upgrade packages for specific architectures and languages. Specify the Architecture and Language
on the Data Source tab of its properties.
OS image
Create OS images for specific architectures and languages. Specify the Architecture and Language on the
Data Source tab of its properties.
Driver package
Create driver packages for specific hardware models. Specify the Model on the General tab of its properties.
To determine which driver package it downloads during pre-caching, the client evaluates the model against the
Name property of the Win32_ComputerSystemProduct WMI class.

TIP
The actual query uses a LIKE statement with wildcards:
select * from win32_computersystemproduct where name like "%yourstring%" . For example, if you specify Surface
as the model, the query matches all models that include that string.

Package
Create packages for specific architectures and languages. Specify the Architecture and Language on the
General tab of its properties.
2. Create a task sequence
Create a task sequence with conditional steps for the different languages and architectures, or different hardware
models for driver packages.

C O N T EN T ST EP

OS upgrade package Upgrade OS

OS image Apply OS Image

Driver package Apply Driver Package

Package Install Package

For example, the following Upgrade OS step uses the English version:
 TIP
The following WMI query is recommended for the English (United States) OS and 64-bit architecture:

SELECT * FROM Win32_OperatingSystem WHERE OSArchitecture LIKE '%64%' AND OSLanguage='1033'

First add the language by selecting the Operating System Language condition. Then edit the WMI query to include
the architecture clause.

3. Deploy the task sequence

Deploy the task sequence. For the pre-cache feature, configure the following settings:
On the General tab, select Pre-download content for this task sequence .
On the Deployment settings tab, configure the task sequence as Available .
On the Scheduling tab, choose the currently selected time for the setting, Schedule when this
deployment will be available . The client starts pre-caching content at the deployment's available time.
When a targeted client receives this policy, the available time is in the past, thus pre-cache download
starts right away. If the client receives this policy but the available time is in the future, the client doesn't
start pre-caching content until the available time occurs.
On the Distribution Points tab, configure the Deployment options settings. If the content isn't pre-
cached before a user starts the installation, the client uses these settings.

IMPORTANT
For a task sequence that installs an OS image, don't use the deployment option to Download content locally
when needed by the running task sequence . When the task sequence wipes the disk before it applies the OS
image, it removes the client cache. Since the content is gone, the task sequence fails. These deployment options are
dynamic based on other options you select for the deployment. For more information, see Deploy a task sequence.

User experience
When the client receives the deployment policy, it starts to pre-cache the content after the deployment's
available time. This content includes all referenced packages, but only the OS upgrade package that
matches the architecture and language attributes on the package.
When the client makes the deployment available to users, a notification displays to inform users about the
new deployment. Now the task sequence is visible in Software Center. The user can go to Software Center
and click Install to start the installation.
If the client hasn't fully pre-cached the content when the user installs the task sequence, then the client
uses the settings that you specify on the Deployment Option tab of the deployment.

See also
Create a task sequence to upgrade an OS
Scenario to upgrade Windows to the latest version
 Create task sequence media
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can use media to capture an OS image from a reference computer or to deploy an OS to a destination
computer in your Configuration Manager environment. The media that you create can be a CD, DVD set, or a USB
flash drive.
Media is used mostly to deploy an OS on computers that don't have a network connection or that have a low-
bandwidth connection to the site. However, you can also use media to start an OS deployment outside of an
existing Windows OS. This method is useful when there's no OS, the OS isn't working, or you want to repartition
the disk.
Deployment media includes bootable media, standalone media, and prestaged media. The content of the media
varies, depending on what type of media that you use. For example, standalone media contains the task sequence
that deploys the OS. Other types of media retrieve task sequences from the management point.

IMPORTANT
To create task sequence media, you must be an administrator on the computer where you run the Configuration Manager
console. If you're not an administrator, you're prompted for administrator credentials when you start the Create Task
Sequence Media wizard.

Capture media
Capture media allows you to capture an OS image from a reference computer. Capture media contains the boot
image that starts the reference computer and the task sequence that captures the OS image.

Bootable media
Bootable media contains the following components:
The boot image
Optional prestart commands and their required files
Configuration Manager binaries
When the destination computer starts, it connects to the network and retrieves the task sequence, the OS image,
and any other required content from the network. Because the task sequence isn't on the media, you can change
the task sequence or content without having to recreate the media.

IMPORTANT
The packages on bootable media aren't encrypted. Take appropriate security measures, such as adding a password to the
media, to make sure that the package contents are secured from unauthorized users.

Starting in version 2006, bootable media can download cloud-based content. The device still needs an intranet
connection to the management point. It can get content from a content-enabled cloud management gateway
(CMG) or cloud distribution point. For more information, see Support for cloud-based content.
Prestaged media
Prestaged media allows you to apply bootable media and an OS image to a hard disk before the provisioning
process. The prestaged media is a Windows Image (WIM) file. The manufacturer can install it to the bare-metal
computer during their build process. Or you can use it in a staging center that's not connected to the production
Configuration Manager environment.
Prestaged media contains the boot image used to start the destination computer and the OS image that's applied
to the destination computer. You can also specify applications, packages, and driver packages to include as part of
the prestaged media. The task sequence that deploys the OS isn't included in the media. When you deploy a task
sequence that uses prestaged media, the client checks the local task sequence cache for valid content first. If the
content can't be found or has been revised, the client downloads the content from a distribution point or peer.
You apply prestaged media to the hard drive of a new computer before you send the computer to the user. When
the computer starts for the first time after you've applied the prestaged media, the computer starts in Windows
PE. It connects to a management point to locate the task sequence that completes the OS deployment process.

IMPORTANT
The packages on prestaged media aren't encrypted. Take appropriate security measures, such as adding a password to the
media, to make sure that the package contents are secured from unauthorized users.

Standalone media
Standalone media contains everything that's required to deploy the OS. This content includes the task sequence
and any other required content. Because everything is on the media, the required disk space is larger than for
other types of media.

Considerations when using HTTPS

When you configure your management points and distribution points to use HTTPS, create boot media and
prestaged media at a primary site, not the central administration site. Also, consider the following point to help
you determine whether to configure the media as dynamic or site-based:
To configure the media as dynamic media, all primary sites must have the root certificate authority (CA) of
the site from which you created the media. You can import the root CA to all primary sites in your
hierarchy.
When primary sites in your Configuration Manager hierarchy use different root CAs, you must use site-
based media at each site.

Next steps
Create capture media
Create bootable media
Create prestaged media
Create standalone media
 Create stand-alone media
9/4/2020 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Stand-alone media in Configuration Manager contains everything required to deploy the OS on a computer
without a network connection.
Use stand-alone media with the following OS deployment scenarios:
Refresh an existing computer with a new version of Windows
Install a new version of Windows on a new computer (bare metal)
Upgrade Windows to the latest version

Usage
Stand-alone media includes the task sequence that automates the steps to install the OS, and all other required
content. This content includes the boot image, OS image, and device drivers. Because the stand-alone media stores
everything to deploy the OS, it requires more disk space than required for other types of media.
When you create stand-alone media on a central administration site, the client retrieves its assigned site code
from Active Directory. Stand-alone media created at child sites automatically assigns to the client the site code for
that site.

Prerequisites
Before you create stand-alone media by using the Create Task Sequence Media Wizard, be sure that all of these
conditions are met.
Create a task sequence to deploy an OS
As part of the stand-alone media, specify the task sequence to deploy an OS. For more information, see Create a
task sequence to install an OS.
Unsupported actions for stand-alone media
The following actions aren't supported for stand-alone media:
The Auto Apply Drivers step in the task sequence. Stand-alone media doesn't support automatic application
of device drivers from the driver catalog. Use the Apply Driver Package step to make a specified set of
drivers available to Windows Setup.
The Download Package Content step in the task sequence. The management point information isn't
available on stand-alone media, so the step fails trying to enumerate content locations.
Installing software updates.
Installing software before deploying the OS.
Custom task sequences for non-OS deployments.
Associating users with the destination computer to support user device affinity.
Dynamic package installs via the Install Packages step.
Dynamic application installs via the Install Application step.
 The Use pre-production client package when available setting in the Setup Windows and
ConfigMgr task sequence step. For more information about this setting, see Setup Windows and
ConfigMgr.

NOTE
An error might occur if your task sequence includes the Install Package step and you create the stand-alone media at a
central administration site. The central administration site doesn't have the necessary client configuration policies. These
policies are required to enable the software distribution agent when the task sequence runs. The following error might
appear in the CreateTsMedia.log file:
WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)

For stand-alone media that includes an Install Package step, create the stand-alone media at a primary site that has the
software distribution agent enabled.
Alternatively, use a custom Run Command Line step. Add it after the Setup Windows and ConfigMgr step and before the
first Install Package step. The Run Command Line step runs the following WMIC command to enable the software
distribution agent before the first Install Package step:
WMIC /namespace:\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig CREATE
ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local",
PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE

Distribute all content associated with the task sequence

Distribute all content that the task sequence requires to at least one distribution point. This content includes the
boot image, OS image, and other associated files. The wizard gathers the content from the distribution point when
it creates the media.
Your user account needs at least Read access rights to the content library on that distribution point. For more
information, see Distribute content.
Prepare the removable USB drive
If you're using a removable USB drive, connect it to the computer where you run the Create Task Sequence Media
wizard. The USB drive must be detectable by Windows as a removal device. The wizard writes directly to the USB
drive when it creates the media.
Stand-alone media uses a FAT32 file system. You can't create stand-alone media on a removable USB drive whose
content contains a file over 4 GB in size.
Create an output folder
Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, create a folder for the
output files it creates. Media that it creates for a CD or DVD set is written as an .ISO file directly in the folder.

Process
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence Media . This action
starts the Create Task Sequence Media Wizard.
3. On the Select Media Type page, specify the following options:
Select Stand-alone media .
Optionally, if you want to only allow the OS to be deployed without requiring user input, select
Allow unattended operating system deployment .
 IMPORTANT
When you select this option, the user isn't prompted for network configuration information or for optional
task sequences. If you configure the media for password protection, the user is still prompted for a
password.

4. On the Media Type page, specify whether the media is a Removable USB drive or a CD/DVD set . Then
configure the following options:

IMPORTANT
Media uses a FAT32 file system. You can't create media on a USB drive whose content contains a file over 4 GB in
size.

If you select Removable USB drive , select the drive where you want to store the content.
Format removable USB drive (FAT32) and make bootable : By default, let Configuration
Manager prepare the USB drive. Many newer UEFI devices require a bootable FAT32 partition.
However, this format also limits the size of files and overall capacity of the drive. If you've already
formatted and configured the removable drive, disable this option.
If you select CD/DVD set , specify the capacity of the media (Media size ) and the name and path of
the output file (Media file ). The wizard writes the output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates multiple files. Then you
need to store the content on multiple CDs or DVDs. When it requires multiple media files,
Configuration Manager adds a sequence number to the name of each output file that it creates.
If you deploy an application along with the OS, and the application can't fit on a single media,
Configuration Manager stores the application across multiple media. When the stand-alone media is
run, Configuration Manager prompts the user for the next media where the application is stored.

IMPORTANT
If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or
share as soon as you proceed to the next page of the wizard. The existing image is deleted, even if you then
cancel the wizard.

Staging folder : The media creation process can require a lot of temporary drive space. By default
this location is similar to the following path: %UserProfile%\AppData\Local\Temp . Starting in version
1902, to give you greater flexibility with where to store these temporary files, change this value to
another drive and path.
Media label : Starting in version 1902, add a label to task sequence media. This label helps you
better identify the media after you create it. The default value is Configuration Manager . This text
field appears in the following locations:
If you mount an ISO file, Windows displays this label as the name of the mounted drive
If you format a USB drive, it uses the first 11 characters of the label as its name
Configuration Manager writes a text file called MediaLabel.txt to the root of the media. By
default, the file includes a single line of text: label=Configuration Manager . If you customize
the label for media, this line uses your custom label instead of the default value.
 Include autorun.inf file on media : Starting in version 1906, Configuration Manager doesn't add
an autorun.inf file by default. This file is commonly blocked by antimalware products. For more
information on the AutoRun feature of Windows, see Creating an AutoRun-enabled CD-ROM
Application. If still necessary for your scenario, select this option to include the file.
5. On the Security page, specify the following options:
Protect media with a password : Enter a strong password to help protect the media from
unauthorized access. When you specify a password, the user must provide that password to use the
media.

IMPORTANT
As a security best practice, always assign a password to help protect the media.
On stand-alone media, it only encrypts the task sequence steps and their variables. It doesn't encrypt the
remaining content of the media. Don't include any sensitive information in task sequence scripts. Store and
implement all sensitive information by using task sequence variables.

Select date range for this stand-alone media to be valid : Set optional start and expiration
dates on the media. This setting is disabled by default. The dates are compared to the system time on
the computer before the stand-alone media runs. When the system time is earlier than the start time
or later than the expiration time, the stand-alone media doesn't start. These options are also
available by using the New-CMStandaloneMedia PowerShell cmdlet.
6. On the Stand-Alone CD/DVD page, select the task sequence that deploys the OS. You can only select
those task sequences that are associated with a boot image. Verify the list of content referenced by the task
sequence.
Detect associated application dependencies and add them to this media : Also add content
to the media for application dependencies.

TIP
If you don't see expected application dependencies, deselect and then reselect this option to refresh the list.

7. On the Select Application page, specify additional application content to include as part of the media file.
8. On the Select Package page, specify additional package content to include as part of the media file.
9. On the Select Driver Package page, specify additional driver package content to include as part of the
media file.
10. On the Distribution Points page, specify the distribution points that contain the required content.
Configuration Manager only displays distribution points that have the content. Distribute all of the content
associated with the task sequence to at least one distribution point before you continue. After you distribute
the content, refresh the distribution point list. Remove any distribution points that you already selected on
this page, go to the previous page, and then back to the Distribution Points page. Alternatively, restart
the wizard. For more information, see Distribute content referenced by a task sequence and Manage
content and content infrastructure.
11. On the Customization page, specify the following options:
Add any variables that the task sequence uses.
Enable prestar t command : Specify any prestart commands that you want to run before the task
 sequence runs. Prestart commands are a script or an executable that can interact with the user in
Windows PE before the task sequence runs. For more information, see Prestart commands for task
sequence media.

TIP
During media creation, the task sequence writes the package ID and prestart command-line, including the
value for any task sequence variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the value for the task sequence
variables.

If the prestart command requires any content, select the option to Include files for the prestar t
command .
12. Complete the wizard.
The stand-alone media files (.ISO) are created in the destination folder. If you selected CD/DVD set , copy the
output files to a set of CDs or DVDs.

Next steps
Use stand-alone media to deploy Windows without using the network
 Create prestaged media
9/4/2020 • 8 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Prestaged media in Configuration Manager is a Windows Image (WIM) file. It can be installed on a bare-metal
computer by the manufacturer or at your staging center that's not connected to the production Configuration
Manager environment. Prestaged media contains the boot image used to start the destination computer and the
OS image that's applied to the destination computer. You can also specify applications, packages, and driver
packages to include as part of the prestaged media. The task sequence that deploys the OS isn't included in the
media. Prestaged media is applied to the hard drive of a new computer before the computer is sent to the end
user.
Use prestaged media for the following OS deployment scenarios:
Create an image for an OEM in factory or a local depot
Install a new version of Windows on a new computer (bare metal)
Deploy Windows to Go

Usage
When the computer starts for the first time after you've applied the prestaged media, the computer starts in
Windows PE. It connects to a management point to locate the task sequence that completes the OS deployment
process. When you deploy a task sequence that uses prestaged media, the client checks the local task sequence
cache for valid content first. If the content can't be found or has been revised, the client downloads the content
from a distribution point or peer.

Prerequisites
Before you create prestaged media by using the Create Task Sequence Media Wizard, be sure that all of the
conditions are met.
Boot image
Consider the following points about the boot image that you use in the task sequence to deploy the OS:
The architecture of the boot image must be appropriate for the architecture of the destination computer. For
example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are required to provision the
destination computer.
Create a task sequence to deploy an OS
As part of the prestaged media, specify the task sequence to deploy the OS. For more information, see Create a
task sequence to install an OS.
Distribute all content associated with the task sequence
Distribute all content that the task sequence requires to at least one distribution point. This content includes the
boot image, OS image, and other associated files. The wizard gathers the content from the distribution point
when it creates the prestaged media.
Your user account needs at least Read access rights to the content library on that distribution point. For more
information, see Distribute content.
Hard drive on the destination computer
The hard drive of the destination computer must be formatted before the prestaged media is applied to it. If the
hard drive isn't formatted when the media is applied, the task sequence that deploys the OS fails when it attempts
to start the destination computer.

NOTE
The Create Task Sequence Media Wizard sets the following task sequence variable condition on the media:
_SMSTSMediaType = OEMMedia . You can use this same condition in your task sequence.

Process
NOTE
For PKI environments, since the Root CA is specified at the Primary site, make sure the prestaged media is created at the
Primary site. The CAS site does not have the Root CA information to properly create the prestaged media.

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence Media . This action
starts the Create Task Sequence Media Wizard.
3. On the Select Media Type page, specify the following options:
Select Prestaged media .
Optionally, if you want to only allow the OS to be deployed without requiring user input, select
Allow unattended operating system deployment .

IMPORTANT
When you select this option, the user isn't prompted for network configuration information or for optional
task sequences. If you configure the media for password protection, the user is still prompted for a
password.

4. On the Media Management page, specify one of the following options:

Dynamic media : Allow a management point to redirect the media to another management point,
based on the client location in the site boundaries.
Site-based media : The media only contacts the specified management point.
5. On the Media Proper ties page, specify the following information:
Created by : Specify who created the media.
Version : Specify the version number of the media.
Comment : Specify a unique description of what the media is used for.
Media file : Specify the name and path of the output files. The wizard writes the output files to this
location. For example: \\servername\folder\outputfile.wim
 Staging folder : The media creation process can require a lot of temporary drive space. By default
this location is similar to the following path: %UserProfile%\AppData\Local\Temp . Starting in version
1902, to give you greater flexibility with where to store these temporary files, change this value to
another drive and path.
6. On the Security page, specify the following options:
Enable unknown computer suppor t : Allow the media to deploy an OS to a computer that's not
managed by Configuration Manager. There's no record of these computers in the Configuration
Manager database. For more information, see Prepare for unknown computer deployments.
Protect media with a password : Enter a strong password to help protect the media from
unauthorized access. When you specify a password, the user must provide that password to use the
prestaged media.

IMPORTANT
As a security best practice, always assign a password to help protect the prestaged media.

For HTTP communications, select Create self-signed media cer tificate . Then specify the start
and expiration date for the certificate.

NOTE
If you select this option HTTPS management points will not be available for selection on the Boot image
page of this wizard.

For HTTPS communications, select Impor t PKI cer tificate . Then specify the certificate to import
and its password.
For more information about this client certificate that boot images use, see PKI certificate
requirements.
User device affinity : To support user-centric management in Configuration Manager, specify how
you want the media to associate users with the destination computer. For more information about
how OS deployment supports user device affinity, see Associate users with a destination computer.
Allow user device affinity with auto-approval : The media automatically associates
users with the destination computer. This functionality is based on the actions of the task
sequence that deploys the OS. In this scenario, the task sequence creates a relationship
between the specified users and destination computer when it deploys the OS to the
destination computer.
Allow user device affinity pending administrator approval : The media associates
users with the destination computer after approval is granted. This functionality is based on
the scope of the task sequence that deploys the OS. In this scenario, the task sequence
creates a relationship between the specified users and the destination computer, but waits for
approval from an administrative user before the OS is deployed.
Do not allow user device affinity : The media doesn't associate users with the destination
computer. In this scenario, the task sequence doesn't associate users with the destination
computer when it deploys the OS.
7. On the Task Sequence page, select the task sequence that runs on the destination computer. Verify the list
of content referenced by the task sequence.
 Detect associated application dependencies and add them to this media : Also add content
to the media for application dependencies.

TIP
If you don't see expected application dependencies, deselect and then reselect this option to refresh the list.

8. On the Boot image page, specify the following options:

IMPORTANT
The architecture of the boot image that you distribute must be appropriate for the architecture of the destination
computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image.

Boot image : Select the boot image to start the destination computer.
Distribution point : Select the distribution point that has the boot image. The wizard retrieves the
boot image from the distribution point and writes it to the media.

NOTE
Your user account needs at least Read permissions to the content library on the distribution point.

Management point : Only for site-based media, select a management point from a primary site.
Associated management points : Only for dynamic media, select the primary site management
points to use, and a priority order for the initial communication.

NOTE
HTTPS enabled management points will only be displayed when a PKI certificate is specified in the Security
page of this wizard.

9. On the Images page, specify the following options:

Image package : Specify the OS image to use. For more information, see Manage OS images.
Image index : If the package contains multiple OS images, specify the index of the image to deploy.
Distribution point : Specify the distribution point that has the OS image package. The wizard gets
the OS image from the distribution point and writes it to the media.
10. On the Select Application page, select additional applications to add to the prestaged media file.
11. On the Select Package page, select additional packages to add to the prestaged media file.
12. On the Select Driver Package page, select additional driver packages to add to the prestaged media file.
13. On the Distribution Points page, select one or more distribution points from which to get content.
Configuration Manager only displays distribution points that have the content. Distribute all of the content
associated with the task sequence to at least one distribution point before you continue. After you
distribute the content, refresh the distribution point list. Remove any distribution points that you already
selected on this page, go to the previous page, and then back to the Distribution Points page.
Alternatively, restart the wizard. For more information, see Distribute content referenced by a task
 sequence and Manage content and content infrastructure.
14. On the Customization page, specify the following options:
Add any variables that the task sequence uses.
Enable prestar t command : Specify any prestart commands that you want to run before the task
sequence runs. Prestart commands are a script or an executable that can interact with the user in
Windows PE before the task sequence runs. For more information, see Prestart commands for task
sequence media.

TIP
During media creation, the task sequence writes the package ID and prestart command-line, including the
value for any task sequence variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the value for the task sequence
variables.

If the prestart command requires any content, select the option to Include files for the prestar t
command .
15. Complete the wizard.

Next steps
Create an image for an OEM in factory or a local depot
 Create bootable media
9/4/2020 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Bootable media in Configuration Manager contains the boot image, optional prestart commands and associated
files, and Configuration Manager files. Use bootable media for the following OS deployment scenarios:
Install a new version of Windows on a new computer (bare metal)
Replace an existing computer and transfer settings

Usage
The following process occurs when you boot to bootable media:
1. The destination computer starts
2. It connects to the network
3. It retrieves the following content from the site:
The specified task sequence
OS image
Any other required content
Because the task sequence isn't on the media, you can change the task sequence or content without having to
recreate the media.
The packages on bootable media aren't encrypted. To make sure that the package contents are secured from
unauthorized users, take appropriate security measures. For example, add a password to the media.
Starting in version 2006, bootable media can download cloud-based content. The device still needs an intranet
connection to the management point. It can get content from a content-enabled cloud management gateway
(CMG) or cloud distribution point. For more information, see Support for cloud-based content.

Prerequisites
Before you create bootable media by using the Create Task Sequence Media Wizard, be sure that all of these
conditions are met.
Boot image
Consider the following points about the boot image that you use in the task sequence to deploy the OS:
The architecture of the boot image must be appropriate for the architecture of the destination computer. For
example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are required to provision the
destination computer.
Create a task sequence to deploy an OS
As part of the bootable media, specify the task sequence to deploy the OS. For more information, see Create a
task sequence to install an OS.
Distribute all content associated with the task sequence
Distribute all content that the task sequence requires to at least one distribution point. This content includes the
boot image and other associated prestart files. The wizard gathers the content from the distribution point when it
creates the bootable media.
Your user account needs at least Read access rights to the content library on that distribution point. For more
information, see Distribute content.
Prepare the removable USB drive
If you're using a removable USB drive, connect it to the computer where you run the Create Task Sequence Media
wizard. The USB drive must be detectable by Windows as a removal device. The wizard writes directly to the USB
drive when it creates the media.
Create an output folder
Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, create a folder for
the output files it creates. Media that it creates for a CD or DVD set is written as an .ISO file directly in the folder.

Process
NOTE
For PKI environments, since you specify the root certificate authority (CA) at the primary site, make sure to create the
bootable media at the primary site. The central administration site (CAS) doesn't have the root CA information to properly
create the bootable media.

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence Media . This action
starts the Create Task Sequence Media Wizard.
3. On the Select Media Type page, specify the following options:
Select Bootable media .
Optionally, if you want to only allow the OS to be deployed without requiring user input, select
Allow unattended operating system deployment .

IMPORTANT
When you select this option, the user isn't prompted for network configuration information or for optional
task sequences. If you configure the media for password protection, the user is still prompted for a
password.

4. On the Media Management page, specify one of the following options:

Dynamic media : Allow a management point to redirect the media to another management point,
based on the client location in the site boundaries.
Site-based media : The media only contacts the specified management point.
5. On the Media Type page, specify whether the media is a Removable USB drive or a CD/DVD set . Then
configure the following options:
 IMPORTANT
Media uses a FAT32 file system. You can't create media on a USB drive whose content contains a file over 4 GB in
size.

If you select Removable USB drive , select the drive where you want to store the content.
Format removable USB drive (FAT32) and make bootable : By default, let Configuration
Manager prepare the USB drive. Many newer UEFI devices require a bootable FAT32 partition.
However, this format also limits the size of files and overall capacity of the drive. If you've already
formatted and configured the removable drive, disable this option.
If you select CD/DVD set , specify the capacity of the media (Media size ) and the name and path of
the output file (Media file ). The wizard writes the output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates multiple files. Then you
need to store the content on multiple CDs or DVDs. When it requires multiple media files,
Configuration Manager adds a sequence number to the name of each output file that it creates.

IMPORTANT
If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or
share as soon as you proceed to the next page of the wizard. The existing image is deleted, even if you then
cancel the wizard.

Staging folder : The media creation process can require much temporary drive space. By default
this location is similar to the following path: %UserProfile%\AppData\Local\Temp . To give you greater
flexibility with where to store these temporary files, you can change this value to another drive and
path.
Media label : Add a label to task sequence media. This label helps you better identify the media
after you create it. The default value is Configuration Manager . This text field appears in the
following locations:
If you mount an ISO file, Windows displays this label as the name of the mounted drive.
If you format a USB drive, it uses the first 11 characters of the label as its name.
Configuration Manager writes a text file called MediaLabel.txt to the root of the media. By
default, the file includes a single line of text: label=Configuration Manager . If you customize
the label for media, this line uses your custom label instead of the default value.
Include autorun.inf file on media : Starting in version 1906, Configuration Manager doesn't add
an autorun.inf file by default. This file is commonly blocked by antimalware products. For more
information on the AutoRun feature of Windows, see Creating an AutoRun-enabled CD-ROM
Application. If still necessary for your scenario, select this option to include the file.
6. On the Security page, specify the following options:
Enable unknown computer suppor t : Allow the media to deploy an OS to a computer that's not
managed by Configuration Manager. There's no record of these computers in the Configuration
Manager database. For more information, see Prepare for unknown computer deployments.
Protect media with a password : Enter a strong password to help protect the media from
unauthorized access. When you specify a password, the user must provide that password to use the
 bootable media.

IMPORTANT
As a security best practice, always assign a password to help protect the bootable media.

For HTTP communications, select Create self-signed media cer tificate . Then specify the start
and expiration date for the certificate.

NOTE
If you select this option, you can't select any HTTPS management point on the Boot image page of this
wizard.

For HTTPS communications, select Impor t PKI cer tificate . Then specify the certificate to import
and its password.
For more information about this client certificate that boot images use, see PKI certificate
requirements.
User device affinity : To support user-centric management in Configuration Manager, specify how
you want the media to associate users with the destination computer. For more information about
how OS deployment supports user device affinity, see Associate users with a destination computer.
Allow user device affinity with auto-approval : The media automatically associates
users with the destination computer. This functionality is based on the actions of the task
sequence that deploys the OS. In this scenario, the task sequence creates a relationship
between the specified users and destination computer when it deploys the OS to the
destination computer.
Allow user device affinity pending administrator approval : The media associates
users with the destination computer after approval is granted. This functionality is based on
the scope of the task sequence that deploys the OS. In this scenario, the task sequence
creates a relationship between the specified users and the destination computer. It then waits
for approval from an administrative user before it deploys the OS.
Do not allow user device affinity : The media doesn't associate users with the destination
computer. In this scenario, the task sequence doesn't associate users with the destination
computer when it deploys the OS.
7. On the Boot image page, specify the following options:

IMPORTANT
The architecture of the boot image that you distribute must be appropriate for the architecture of the destination
computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can only boot and run an x86 boot image.

Boot image : Select the boot image to start the destination computer.
Distribution point : Select the distribution point that has the boot image. The wizard retrieves the
boot image from the distribution point and writes it to the media.
 NOTE
Your user account needs at least Read permissions to the content library on the distribution point.

Management point : Only for site-based media, select a management point from a primary site.
Associated management points : Only for dynamic media, select the primary site management
points to use, and a priority order for the initial communication.

NOTE
When you specify a PKI certificate on the Security page of this wizard, this page only displays HTTPS-
enabled management points.

8. On the Customization page, specify the following options:

Add any variables that the task sequence uses.
Enable prestar t command : Specify any prestart commands that you want to run before the task
sequence runs. Prestart commands are a script or an executable that can interact with the user in
Windows PE before the task sequence runs. For more information, see Prestart commands for task
sequence media.

TIP
During media creation, the task sequence writes the package ID and prestart command-line, including the
value for any task sequence variables, to the CreateTSMedia.log file on the computer that runs the
Configuration Manager console. You can review this log file to verify the value for the task sequence
variables.

If the prestart command requires any content, select the option to Include files for the prestar t
command .
9. Complete the wizard.

Alternate method
You can create bootable media on a removable USB drive when the drive isn't connected to the computer running
the Configuration Manager console.
1. Create the task sequence boot media. On the Media type page, select CD/DVD set . The wizard writes the
output files to the location that you specify. For example: \\servername\folder\outputfile.iso .
2. Prepare the removable USB drive. The drive must be formatted, empty, and bootable.
3. Mount the ISO from the share location and transfer the files from the ISO to the USB drive.

Next steps
Use bootable media to deploy Windows over the network
 Create capture media
9/4/2020 • 4 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Capture media in Configuration Manager allows you to capture an OS image from a reference computer. Capture
media contains the boot image that starts the reference computer and the task sequence that captures the OS
image. Use capture media for the scenario to Create a task sequence to capture an OS.

Prerequisites
Before you create capture media by using the Create Task Sequence Media Wizard, be sure that all of these
conditions are met.
Boot image
Consider the following points about the boot image that you use in the task sequence to deploy the OS:
The architecture of the boot image must be appropriate for the architecture of the destination computer. For
example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86 destination
computer can boot and run only an x86 boot image.
Make sure that the boot image contains the network and storage drivers that are required to provision the
destination computer.
Distribute all content associated with the task sequence
Distribute all content that the task sequence requires to at least one distribution point. This content includes the
boot image, OS image, and other associated files. The wizard gathers the content from the distribution point when
it creates the capture media.
Your user account needs at least Read access rights to the content library on that distribution point. For more
information, see Distribute content.
Prepare the removable USB drive
If you're using a removable USB drive, connect it to the computer where you run the Create Task Sequence Media
wizard. The USB drive must be detectable by Windows as a removal device. The wizard writes directly to the USB
drive when it creates the media.
Create an output folder
Before you run the Create Task Sequence Media Wizard to create media for a CD or DVD set, create a folder for the
output files it creates. Media that it creates for a CD or DVD set is written as an .ISO file directly in the folder.

Process
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and select the Task Sequences node.
2. On the Home tab of the ribbon, in the Create group, select Create Task Sequence Media . This action
starts the Create Task Sequence Media Wizard.
3. On the Select Media Type page, select Capture media .
4. On the Media Type page, specify whether the media is a Removable USB drive or a CD/DVD set . Then
configure the following options:
 IMPORTANT
Media uses a FAT32 file system. You can't create media on a USB drive whose content contains a file over 4 GB in
size.

If you select Removable USB drive , select the drive where you want to store the content.
Format removable USB drive (FAT32) and make bootable : By default, let Configuration
Manager prepare the USB drive. Many newer UEFI devices require a bootable FAT32 partition.
However, this format also limits the size of files and overall capacity of the drive. If you've already
formatted and configured the removable drive, disable this option.
If you select CD/DVD set , specify the capacity of the media (Media size ) and the name and path of
the output file (Media file ). The wizard writes the output files to this location. For example:
\\servername\folder\outputfile.iso

If the capacity of the media is too small to store the entire content, it creates multiple files. Then you
need to store the content on multiple CDs or DVDs. When it requires multiple media files,
Configuration Manager adds a sequence number to the name of each output file that it creates.

IMPORTANT
If you select an existing .iso image, the Task Sequence Media Wizard deletes that image from the drive or
share as soon as you proceed to the next page of the wizard. The existing image is deleted, even if you then
cancel the wizard.

Staging folder : The media creation process can require a lot of temporary drive space. By default
this location is similar to the following path: %UserProfile%\AppData\Local\Temp . Starting in version
1902, to give you greater flexibility with where to store these temporary files, change this value to
another drive and path.
Media label : Starting in version 1902, add a label to task sequence media. This label helps you
better identify the media after you create it. The default value is Configuration Manager . This text field
appears in the following locations:
If you mount an ISO file, Windows displays this label as the name of the mounted drive
If you format a USB drive, it uses the first 11 characters of the label as its name
Configuration Manager writes a text file called MediaLabel.txt to the root of the media. By
default, the file includes a single line of text: label=Configuration Manager . If you customize
the label for media, this line uses your custom label instead of the default value.
Include autorun.inf file on media : Starting in version 1906, Configuration Manager doesn't add
an autorun.inf file by default. This file is commonly blocked by antimalware products. For more
information on the AutoRun feature of Windows, see Creating an AutoRun-enabled CD-ROM
Application. If still necessary for your scenario, select this option to include the file.
5. On the Boot image page, specify the following options:

IMPORTANT
The architecture of the boot image that you distribute must be appropriate for the architecture of the destination
computer. For example, an x64 destination computer can boot and run an x86 or x64 boot image. However, an x86
destination computer can boot and run only an x86 boot image.
 Boot image : Select the boot image to start the destination computer.
Distribution point : Select the distribution point that has the boot image. The wizard retrieves the
boot image from the distribution point and writes it to the media.

NOTE
Your user account needs at least Read permissions to the content library on the distribution point.

6. Complete the wizard.

Next steps
Create a task sequence to capture an OS
 Use the task sequence editor
9/4/2020 • 9 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

Edit task sequences in the Configuration Manager console by using the Task Sequence Editor . Use the editor to:
Open a read-only view of the task sequence
Add or remove steps from the task sequence
Change the order of the steps of the task sequence
Add or remove groups of steps
Copy and paste steps between task sequences
Set step options like whether the task sequence continues when an error occurs
Add conditions to the steps and groups of a task sequence
Copy and paste conditions between steps in a task sequence
Search the task sequence to quickly locate steps
Before you can edit a task sequence, you need to create it. For more information, see Manage and create task
sequences.

About the task sequence editor

The task sequence editor includes the following components:
 1. The name of the task sequence
2. Search. For more information, see Search.
3. Proper ties for the selected group or step in the sequence
For more information about the properties and options of a specific step, see About task sequence steps.
4. Options for the selected group or step in the sequence
For more information on general options on all steps, or options of a specific step, see About task sequence
steps.
For more information on how to configure conditions, see Conditions.
5. Add a group or steps
6. Remove a group or steps
7. Collapse all groups or expand all groups
8. Move the position of a group or step in the sequence (move up, move down)
9. The task sequence:
See the order of steps and groups.
Expand or collapse a group.
When you disable a step or group on its Options , it's greyed out in the sequence.
A step's icon changes to a red error if there's an issue with the step. For example, a required value is
missing.
10. OK : Save and close
11. Cancel : Close without saving changes
12. Apply : Save changes and keep open
You can resize the task sequence editor using standard Windows controls. To resize the widths of the two main
panes, use the mouse to select the bar between the task sequence and the step properties, and then drag it left or
right.

View a task sequence

1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. In the Task Sequence list, select the task sequence that you want to view.
3. On the Home tab of the ribbon, in the Task Sequence group, select View .

TIP
This action is the default. If you double-click a task sequence, you'll View the task sequence.

This action opens the task sequence editor in read-only mode. In this mode you can do the following actions:
View all groups, steps, properties, and options
Expand and collapse groups
Search the task sequence
Resize the editor window
In this read-only mode, you can't make any changes, including copying a step or condition. This action also
doesn't lock the task sequence for editing. For more information on these locks, see Reclaim lock for editing task
sequences.
To make changes to a task sequence, close the task sequence editor that you have open in read-only mode. Then
Edit the task sequence.

NOTE
When you view or edit a task sequence that was created by the Create Task Sequence Wizard, the name of the step can be
the action or type of the step. For example, you might see a step that has the name "Partition disk 0", which is the action
for a step of type Format and Partition Disk. All task sequence steps are documented by their type, not necessarily by the
name of the step that the editor displays.

Edit a task sequence

Use the following procedure to modify an existing task sequence:
1. In the Configuration Manager console, go to the Software Librar y workspace, expand Operating
Systems , and then select the Task Sequences node.
2. In the Task Sequence list, select the task sequence that you want to edit.
3. On the Home tab of the ribbon, in the Task Sequence group, select Edit . Then do any of the following
actions:
Add a step : Select Add , select a category, and then select the step to add. For example, to add the
Run Command Line step: select Add , choose the General category, and then select Run
Command Line . This action adds the step after the currently selected step.
Add a group : Select Add , and then choose New Group . After you add a group, then add steps to
it.
Change the order : Select the step or group that you want to reorder. Then use the Move Up or
Move Down icons. You can move only one step or group at a time. These actions are also available
when you right-click a group or step.
You can cut, copy, and paste a group or a step. Right-click the item and select the action. You can also
use standard keyboard shortcuts for each action:
Cut: CTRL + X
Copy: CTRL + C
Paste: CTRL + V
Remove a step or group : Select the step or group, and choose Remove .
4. Select OK to save your changes and close the window. Select Cancel to discard your changes and close the
window. Select Apply to save your changes and keep the task sequence editor open.
For a list of the available task sequence steps, see Task sequence steps.
 IMPORTANT
If the task sequence has any unassociated references to an object as a result of the edit, the editor requires you fix the
reference before it can close. Possible actions include:
Correct the reference
Delete the unreferenced object from the task sequence
Temporarily disable the failed task sequence step until the broken reference is corrected or removed

You can open more than one instance of the task sequence editor at the same time. This behavior lets you
compare multiple task sequences, or copy and paste steps between them. You can Edit one task sequence, and
View another, but you can't do both actions on the same task sequence.

Conditions
Use conditions to control how the task sequence behaves. Add conditions to a single step or a group of steps. The
task sequence evaluates the conditions before it runs the step on the device. It only runs the step if the conditions
evaluate true. If a condition evaluates false, then the task sequence skips the group or step.
Use the Options tab to manage conditions:

The following types of conditions are available:

If statement : Use an if statement to group conditions. You can evaluate All conditions , Any condition ,
or None .
Task sequence variable . Evaluate the current value of any built-in, action, custom, or read-only task
sequence variable in the task sequence environment. For more information, see Step conditions.

NOTE
You can use an array variable in this condition, but you have to specify the specific array member. For example,
OSDAdapter0EnableDHCP specifies whether the first network adapter enables DHCP. For more information, see
Array variables.

OS version : Evaluate the OS version of the device where the task sequence runs. This list is the general OS
versions used throughout Configuration Manager. To evaluate a more detailed OS version, such as a
specific version of Windows 10, use the Quer y WMI condition.
OS language : Evaluate the OS language of the device where the task sequence runs. This list includes the
257 languages that Windows supports.
 File proper ties : Evaluate the version or timestamp of any file on the device where the task sequence runs.
Folder proper ties : Evaluate the timestamp of any folder on the device where the task sequence runs.
Registr y setting : Evaluate any registry key value of the device where the task sequence runs.
Quer y WMI : Specify the namespace and query to evaluate on the device where the task sequence runs.
Installed software : Specify a Windows Installer file to load product information to match on the device
where the task sequence runs. You can match against a specific product or any version of the product.
Cmdlets for conditions
Manage conditions with the following PowerShell cmdlets:
Get-CMTSStepConditionFile
Get-CMTSStepConditionFolder
Get-CMTSStepConditionIfStatement
Get-CMTSStepConditionOperatingSystem
Get-CMTSStepConditionQueryWmi
Get-CMTSStepConditionRegistry
Get-CMTSStepConditionSoftware
Get-CMTSStepConditionVariable
Copy and paste conditions
To reuse conditions from one step to another, starting in version 1910 you can now copy and paste conditions in
the task sequence editor. Select a condition to cut or copy it. If a condition has children, it copies the entire block. If
there's a condition on the clipboard, you can paste it with the following options:
Paste before
Paste after
Paste under (only applies to nested conditions)
Use standard keyboard shortcuts to copy (CTRL + C ) and cut (CTRL + X ). The standard CTRL + V keyboard
shortcut does the Paste after action.
There are also new options to move conditions up or down the list.

NOTE
You can copy and paste conditions between steps in a task sequence. It doesn't support this action between different task
sequences.

Reclaim lock for editing

If the Configuration Manager console stops responding, you can be locked out of making further changes until
the lock expires after 30 minutes. This lock is part of the Configuration Manager SEDO (Serialized Editing of
Distributed Objects) system. For more information, see Configuration Manager SEDO.
Starting in version 1906, you can clear your lock on a task sequence. This action only applies to your user account
that has the lock, and on the same device from which the site granted the lock. When you attempt to access a
locked task sequence, you can now Discard Changes , and continue editing the object. These changes would be
lost anyway when the lock expired.
 TIP
Starting in version 1910, you can clear your lock on any object in the Configuration Manager console. For more
information, see Using the Configuration Manager console.

Search
If you have a large task sequence with many groups and steps, it can be difficult to find specific steps. Starting in
version 1910, you can now search in the task sequence editor. This action lets you more quickly locate steps in the
task sequence.

Enter a search term to start. You can scope your search using the following types:
Step name
Step description
Step type
Group name
Group description
Variable name
Conditions
Other content, for example, strings like variable values or command lines
It enables all scopes by default.
You can also filter for all steps with the following attributes:
Continue on error
Has conditions
It doesn't enable either filter by default.
When you search, the editor window highlights in yellow the steps that match your search criteria.
Quickly access these search fields and navigate the search results with the following keyboard shortcuts:
CTRL + F : enter a search string
CTRL + O : select the search options to scope the results
F3 or Enter : step forward through the results
SHIFT + F3 : step backwards through the results

See also
Manage and create task sequences
About task sequence steps
How to use task sequence variables
Using the Configuration Manager console
 User experiences for OS deployment
9/4/2020 • 5 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

After you deploy a task sequence, depending upon the scenario there are different ways for users to interact with
the deployment. This article shows the main user experiences with OS deployments, and how you can configure
them:
Software Center user notification for a high-impact deployment
A sample PXE boot experience
Task sequence wizard from media
Progress window when the task sequence runs
Error window when the task sequence fails

Software Center
For a high-impact deployment, you can customize the message that Software Center displays. When the user
opens the OS deployment in Software Center, they see a message similar to the following window:

For more information on how to customize the message in this window, see Create a custom notification for high-
risk deployments.
You can also customize the organization name at the top of the window. (The above example shows the default
value, IT Organization ). Change the Organization name client setting in the Computer Agent group. For more
information, see About client settings.
For more information, see Use Software Center to deploy Windows over the network.

PXE
Different hardware models have different experiences for PXE. To boot to the network, UEFI-based devices typically
use the Enter key, and BIOS-based devices use the F12 key.
The following example shows the Hyper-V Gen1 (BIOS) PXE experience:
After the device successfully boots via PXE, it behaves similarly to bootable media. For more information, see the
next section on the Task sequence wizard.
For more information, see Use PXE to deploy Windows over the network.

WARNING
If you use PXE deployments, and configure device hardware with the network adapter as the first boot device, these devices
can automatically start an OS deployment task sequence without user interaction. Deployment verification doesn't manage
this configuration. While this configuration may simplify the process and reduce user interaction, it puts the device at greater
risk for accidental reimage.

Task sequence wizard

When you use task sequence media, the task sequence wizard runs to guide the process.
Welcome to the task sequence wizard

If you password-protect the media, the user has to enter the password on this welcome page.
Select Configure Network Settings to specify a static IP address or other custom network settings.
Otherwise, the device uses DHCP by default.
If your network requires a proxy, select Configure Proxy Settings .
Select a task sequence to run
If you deploy more than one task sequence to the device, you see this page to select a task sequence. Make sure to
use a name and description for your task sequence that users can understand.
Edit task sequence variables
If any task sequence variables have empty values, the wizard shows a page to edit the variable values.

Prestart commands
You can customize task sequence media or boot images to run a prestart command. A prestart command runs
before the task sequence starts. The following actions are some of the more common ones:
Prompt the user for dynamic values, like the computer name
Specify network configuration
Set user device affinity
The prestart command is a command line that you specify with a script or program. The user experience is unique
to that script or program.
For more information, see the following articles:
Prestart commands for task sequence media
Manage boot images
 Task sequence media

Task sequence progress

When the task sequence runs, it displays the Installation progress window:

This window is always on top; you can move it, but you can't close or minimize it.
You can customize the organization name at the top of the window. (The above example shows the default
value, IT Organization ). Change the Organization name client setting in the Computer Agent group.
For more information, see About client settings.

TIP
The task sequence stores this value in the read-only variable _SMSTSOrgName.

You can customize the subheading. (The above example shows the default value,
Running: <task sequence name> .) On the properties of the task sequence, select the option to Use custom
text for the progress notification text. It allows a maximum of 255 characters.
Running action : The first line shows the name of the current task sequence step. The progress bar below it
shows the overall completion of the task sequence.
The second line only shows for some steps that provide more detailed progress.
Use the task sequence variable TSDisableProgressUI to control when the task sequence displays progress.
To completely disable the progress window, disable the option to Show Task Sequence progress on the
User Experience page of the task sequence deployment.
Starting in version 2002, the task sequence progress window includes the following improvements:
Shows the current step number, total number of steps, and percent completion
Increased the width of the window to give you more space to better show the organization name in a single
line
By default, the task sequence progress window uses the existing text. If you make no changes, it continues to work
the same as in version 1910 and earlier. To show the new progress information, specify the task sequence variable,
TSProgressInfoLevel.
The count and percentage completed are intended for general guidance purposes only. These values are based on
the total number of steps in the task sequence. For a more complex task sequence with steps that run conditionally
based on task sequence logic, the progress may be non-linear.
The count of total steps doesn't include the following items in the task sequence:
Groups. This item is a container for other steps, not a step itself.
Instances of the Run task sequence step. This step is a container for other steps.
Steps that you explicitly disable. A disabled step doesn't run during the task sequence.
Starting in version 2006, it doesn't count enabled steps in a disabled group. In version 2002, enabled steps
in a disabled group are still included in the total count.

Task sequence error

If the task sequence fails, it displays the Task Sequence Error window.

You customize the header information the same as the task sequence progress window.
It displays the name of the task sequence, an error code, and a general message for users. For example:
Task sequence: Upgrade to Windows 10 Enterprise has failed with the error code (0x80004005). For more
information, contact your system administrator or helpdesk operator.

The window automatically closes after a timeout period. By default, this timeout is 15 minutes. You can
customize this value with the task sequence variable SMSTSErrorDialogTimeout.
 Task sequence steps
9/4/2020 • 93 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The following task sequence steps can be added to a Configuration Manager task sequence. For more
information, see Use the task sequence editor.

Common settings
The following settings are common to all task sequence steps:
Properties for all steps
Name : The task sequence editor requires that you specify a short name to describe this step. When you
add a new step, the task sequence editor sets the name to the Type by default. The Name length can't
exceed 50 characters.
Description : Optionally, specify more detailed information about this step. The Description length can't
exceed 256 characters.
The rest of this article describes the other settings on the Proper ties tab for each task sequence step.
Options for all steps
Disable this step : The task sequence skips this step when it runs on a computer. The icon for this step is
greyed out in the task sequence editor.
Continue on error : If an error occurs while running the step, the task sequence continues. For more
information, see Planning considerations for automating tasks.
Add Condition : The task sequence evaluates these conditional statements to determine if it runs the step.
For an example of using a task sequence variable as a condition, see How to use task sequence variables.
For more information about conditions, see Task sequence editor - Conditions.
The sections below for specific task sequence steps describe other possible settings on the Options tab.

Apply Data Image

Use this step to copy the data image to the specified destination partition.
This step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Images , and select Apply Data Image .
Variables for Apply Data Image
Use the following task sequence variables with this step:
OSDDataImageIndex
OSDWipeDestinationPartition
Cmdlets for Apply Data Image
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepApplyDataImage
New-CMTSStepApplyDataImage
 Remove-CMTSStepApplyDataImage
Set-CMTSStepApplyDataImage
Properties for Apply Data Image
On the Proper ties tab for this step, configure the settings described in this section.
Image Package
Select Browse to specify the Image Package used by this task sequence. Select the package you want to install
in the Select a Package dialog box. The bottom of the dialog box displays the associated property information
for each existing image package. Use the drop-down list to select the Image you want to install from the selected
Image Package .

NOTE
This task sequence action treats the image as a data file. This action doesn't do any setup to boot the image as an OS.

Destination
Configure one of the following options:
Next available par tition : Use the next sequential partition that an Apply Operating System or Apply
Data Image step in this task sequence has not already targeted.
Specific disk and par tition : Select the Disk number (starting with 0) and the Par tition number
(starting with 1).
Specific logical drive letter : Specify the Drive Letter that Windows PE assigns to the partition. This
drive letter can be different from the drive letter assigned by the newly deployed OS.
Logical drive letter stored in a variable : Specify the task sequence variable that contains the drive
letter assigned to the partition by Windows PE. This variable is typically set in the Advanced section of the
Par tition Proper ties dialog box for the Format and Par tition Disk task sequence step.
Delete all content on the partition before applying the image
Specifies that the task sequence deletes all files on the target partition before installing the image. By not
deleting the content of the partition, this action can be used to apply additional content to a previously targeted
partition.

Apply Driver Package

Use this step to download all of the drivers in the driver package and install them on the Windows OS.
The Apply Driver Package task sequence step makes all device drivers in a driver package available for use by
Windows. Add this step between the Apply Operating System and Setup Windows and ConfigMgr steps
to make the drivers in the package available to Windows. The Apply Driver Package task sequence step is also
useful with stand-alone media deployment scenarios.
Put similar device drivers into a driver package, and distribute them to the appropriate distribution points. For
example, put all drivers from one manufacturer into a driver package. Then distribute the package to distribution
points where the associated computers can access them.
The Apply Driver Package step is useful for stand-alone media. This step is also useful to install a specific set of
drivers. These types of drivers include devices that Windows plug-and-play doesn't detect, such as network
printers.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Drivers , and select Apply Driver Package .
 TIP
For an overview on drivers in Configuration Manager, see Use task sequences to install drivers.
Use content pre-caching to download an applicable driver package before a user installs the task sequence. For more
information, see Configure pre-cache content.

Variables for Apply Driver Package

Use the following task sequence variables with this step:
OSDApplyDriverBootCriticalContentUniqueID
OSDApplyDriverBootCriticalHardwareComponent
OSDApplyDriverBootCriticalID
OSDApplyDriverBootCriticalINFFile
OSDInstallDriversAdditionalOptions
Cmdlets for Apply Driver Package
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepApplyDriverPackage
New-CMTSStepApplyDriverPackage
Remove-CMTSStepApplyDriverPackage
Set-CMTSStepApplyDriverPackage
Properties for Apply Driver Package
On the Proper ties tab for this step, configure the settings described in this section.
Driver package
Specify the driver package that contains the needed device drivers. Select Browse to launch the Select a
Package dialog box. Select an existing driver package to apply. The bottom of the dialog box displays the
associated package properties.
Install driver package via running DISM with recurse option
Select this option to add the /recurse parameter to the DISM command line when Windows applies the driver
package.
When you enable this option, you can also specify additional DISM command-line parameters. Use the
OSDInstallDriversAdditionalOptions task sequence variable to include more options. For more information, see
Windows 10 DISM Command-Line Options.
Select the mass storage driver within the package that needs to be installed before setup on pre-Windows Vista operating systems
Specify any mass storage drivers needed to install a classic OS.
Dr i ver

Select the mass storage driver file to install before setup of a classic OS. The drop-down list populates from the
specified package.
Mo del

Specify the boot-critical device that is needed for pre-Windows Vista OS deployments.
Do unattended installation of unsigned drivers on version of Windows where this is allowed
This option allows Windows to install drivers without a digital signature.

Apply Network Settings

Use this step to specify the network or workgroup configuration information for the destination computer. The
task sequence stores these values in the appropriate answer file. Windows Setup uses this answer file during the
Setup Windows and ConfigMgr action.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Settings , and select Apply Network Settings .

NOTE
If you include multiple instances of this step in a task sequence, conditions don't apply. The settings from the last instance
of this step in the task sequence are applied to the device. To work around this behavior, include each step in a separate
group with conditions on the group.

Variables for Apply Network Settings

Use the following task sequence variables with this step:
OSDAdapter
OSDAdapterCount
OSDDNSDomain
OSDDNSSuffixSearchOrder
OSDDomainName
OSDDomainOUName
OSDEnableTCPIPFiltering
OSDJoinAccount
OSDJoinPassword
OSDWorkgroupName
Cmdlets for Apply Network Settings
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepApplyNetworkSetting
New-CMTSStepApplyNetworkSetting
Remove-CMTSStepApplyNetworkSetting
Set-CMTSStepApplyNetworkSetting
Properties for Apply Network Settings
On the Proper ties tab for this step, configure the settings described in this section.
Join a workgroup
Select this option to have the destination computer join the specified workgroup. Enter the name of the
workgroup on the Workgroup line. The value that the Capture Network Settings task sequence step
captures can override this value.
Join a domain
Select this option to have the destination computer join the specified domain. Specify or browse to the domain,
such as fabricam.com . Specify or browse to a Lightweight Directory Access Protocol (LDAP) path for an
organizational unit. For example: LDAP//OU=computers, DC=Fabricam.com, C=com .

NOTE
When an Azure Active Directory (Azure AD)-joined client runs an OS deployment task sequence, the client in the new OS
won't automatically join Azure AD. Even though it's not Azure AD-joined, the client is still managed.

Account
Select Set to specify an account with the necessary permissions to join the computer to the domain. In the
Windows User Account dialog box, enter the user name in the following format: Domain\User . For more
information, see Domain joining account.
Adapter settings
Specify network configurations for each network adapter in the computer. Select New to open the Network
Settings dialog box, and then specify the network settings.
If you also use the Capture Network Settings step, the task sequence applies the previously captured
settings to the network adapter.
If the task sequence didn't previously capture network settings, it applies the settings you specify in this step.
The task sequence applies these settings to network adapters in Windows device enumeration order.
The task sequence doesn't immediately apply the settings you specify in this step to the computer.

Apply Operating System Image

Use this step to install an OS on the destination computer.
After the Apply Operating System action runs, it sets the OSDTargetSystemDrive variable to the drive letter
of the partition containing the OS files.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Images , and select Apply Operating System
Image .

TIP
Beginning with Windows 10, version 1709, media includes multiple editions. When you configure a task sequence to use
an OS upgrade package or OS image, be sure to select a supported edition.
Use content pre-caching to download an applicable OS upgrade package before a user installs the task sequence. For
more information, see Configure pre-cache content.
The Setup Windows and ConfigMgr step starts the installation of Windows.

Variables for Apply OS Image

Use the following task sequence variables with this step:
OSDConfigFileName
OSDImageIndex
OSDTargetSystemDrive
Cmdlets for Apply OS Image
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepApplyOperatingSystem
New-CMTSStepApplyOperatingSystem
Remove-CMTSStepApplyOperatingSystem
Set-CMTSStepApplyOperatingSystem
Behaviors for Apply OS Image
This step performs different actions depending on whether it uses an OS image or an OS upgrade package.
OS image actions
The Apply Operating System Image step performs the following actions when using an OS image:
1. Delete all content on the targeted volume, except files in the folder specified by the
 _SMSTSUserStatePath variable.
2. Extract the contents of the specified .wim file to the specified destination partition.
3. Prepare the answer file:
a. Create a new default Windows Setup answer file (sysprep.inf or unattend.xml) for the deployed OS.
b. Merge any values from the user-supplied answer file.
4. Copy Windows boot loaders into the active partition.
5. Set the boot.ini or the Boot Configuration Database (BCD) to reference the newly installed OS.
OS upgrade package actions
The Apply Operating System Image step performs the following actions when using an OS upgrade package:
1. Delete all content on the targeted volume, except files in the folder specified by the
_SMSTSUserStatePath variable.
2. Prepare the answer file:
a. Create a fresh answer file with standard values created by Configuration Manager.
b. Merge any values from the user-supplied answer file.
Properties for Apply OS Image
On the Proper ties tab for this step, configure the settings described in this section.
Apply operating system from a captured image
Installs an OS image that you captured. Select Browse to open the Select a package dialog box. Then select the
existing image package you want to install. If multiple images are associated with the specified Image package ,
select from the drop-down list the associated image to use for this deployment. You can view basic information
about each existing image by selecting it.
Apply operating system image from an original installation source
Installs an OS using an OS upgrade package, which is also an original installation source. Select Browse to open
the Select an Operating System Upgrade Package dialog box. Then select the existing OS upgrade package
you want to use. You can view basic information about each existing image source by selecting it. The results
pane at the bottom of the dialog box displays the associated image source properties. If there are multiple
editions associated with the specified package, use the drop-down list to select the Edition you want to use.

NOTE
Operating System Upgrade Packages are primarily meant for use with in-place upgrades and not for new installations
of Windows. When deploying new installations of Windows, use the Apply operating system from a captured image
option and install.wim from the installation source files.
Deploying new installations of Windows via Operating System Upgrade Packages is still supported, but it's dependent
on drivers being compatible with this method. When installing Windows from an OS upgrade package, drivers are installed
while still in Windows PE versus simply being injected while in Windows PE. Some drivers aren't compatible with being
installed while in Windows PE.
If drivers aren't compatible with being installed while in Windows PE, then create an Operating System Image with the
install.wim from the original installation source files. Then deploy via the Apply operating system from a captured
image option instead.

Use an unattended or sysprep answer file for a custom installation

Use this option to provide a Windows setup answer file (unattend.xml , unattend.txt , or sysprep.inf )
depending on the OS version and installation method. The file you specify can include any of the standard
configuration options supported by Windows answer files. For example, you can use it to specify the default
Internet Explorer home page. Specify the package that contains the answer file and the associated path to the file
in the package.

NOTE
The Windows setup answer file that you supply can contain embedded task sequence variables of the form %varname% ,
where varname is the name of the variable. The Setup Windows and ConfigMgr step substitutes the variable string for
the actual value of the variable. You can't use these embedded task sequence variables in numeric-only fields in an
unattend.xml answer file.

If you don't supply a Windows setup answer file, the task sequence automatically generates an answer file.
Destination
Configure one of the following options:
Next available par tition : Use the next sequential partition not already targeted by an Apply
Operating System or Apply Data Image step in this task sequence.
Specific disk and par tition : Select the Disk number (starting with 0) and the Par tition number
(starting with 1).
Specific logical drive letter : Specify the Drive Letter assigned to the partition by Windows PE. This
drive letter can be different from the drive letter assigned by the newly deployed OS.
Logical drive letter stored in a variable : Specify the task sequence variable containing the drive letter
assigned to the partition by Windows PE. This variable is typically set in the Advanced section of the
Par tition Proper ties dialog box for the Format and Par tition Disk task sequence step.
Options for Apply OS Image
Besides the default options, configure the following additional settings on the Options tab of this task sequence
step:
Access content directly from the distribution point
Configure the task sequence to access the OS image directly from the distribution point. For example, use this
option when you deploy operating systems to embedded devices that have limited storage capacity. When
selecting this option, also configure the package share settings on the Data Access tab of the OS image
properties.

NOTE
This setting overrides the deployment option that you configure on the Distribution Points page in the Deploy
Software Wizard . This override is only for the OS image that this step specifies, not for all task sequence content.

IMPORTANT
For greatest security, it is strongly recommended not to select this option. This option is mainly designed for use on
devices with limited storage capacity. This option is not meant to help increase the speed of the task sequence. When this
option is selected, the package hash is not verified for the operating system package. Therefore, package integrity cannot
be ensured because it is possible for users with administrative rights to alter or tamper with package contents.

Apply Windows Settings

Use this step to configure the Windows settings for the destination computer. The task sequence stores these
values in the appropriate answer file. Windows Setup uses this answer file during the Setup Windows and
ConfigMgr step.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Settings , and select Apply Windows Settings .
Variables for Apply Windows Settings
Use the following task sequence variables with this step:
OSDComputerName
OSDLocalAdminPassword
OSDProductKey
OSDRandomAdminPassword
OSDRegisteredOrgName
OSDRegisteredUserName
OSDServerLicenseConnectionLimit
OSDServerLicenseMode
OSDTimeZone
OSDWindowsSettingsInputLocale
OSDWindowsSettingsSystemLocale
OSDWindowsSettingsUILanguage
OSDWindowsSettingsUILanguageFallback
OSDWindowsSettingsUserLocale
Cmdlets for Apply Windows Settings
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepApplyWindowsSetting
New-CMTSStepApplyWindowsSetting
Remove-CMTSStepApplyWindowsSetting
Set-CMTSStepApplyWindowsSetting
Properties for Apply Windows Settings
On the Proper ties tab for this step, configure the settings described in this section.
User name
Specify the registered user name to associate with the destination computer. The value that the Capture
Windows Settings task sequence step captures can override this value.
Organization name
Specify the registered organization name to associate with the destination computer. The value that the Capture
Windows Settings task sequence step captures can override this value.
Product key
Specify the product key to use for the Windows installation on the destination computer.
Server licensing
Specify the server licensing mode.
Select Per ser ver or Per user as the licensing mode.
If you select Per ser ver , also specify the maximum number of connections permitted per your license
agreement.
If the destination computer isn't a server, or you don't want to specify the licensing mode, select Do not
specify .
Maximum connections
 NOTE
This setting only applies to legacy versions of Windows that are no longer supported.

Randomly generate the local administrator password and disable the account on all supported platforms (recommended)
Select this option to set the local administrator password to a randomly generated string. This option also
disables the local administrator account on platforms that support this capability.
Enable the account and specify the local administrator password
Select this option to enable the local administrator account using the specified password. Enter the password on
the Password line and confirm the password on the Confirm password line.
Time zone
Specify the time zone to configure on the destination computer. The value that the Capture Windows Settings
task sequence step captures can override this value.
Language settings
Starting in version 1910, control the language configuration during OS deployment. If you're already applying
these language settings, this change can help you simplify your OS deployment task sequence. Instead of using
multiple steps per language or separate scripts, use one instance per language of this step with a condition for
that language.
Configure the following settings:
Input locale (default keyboard layout)
System locale
UI language
UI language fallback
User locale
For more information on these Windows setup answer file values, see Microsoft-Windows-International-Core.

NOTE
If you create a custom Windows setup answer file (unattend.xml), this step overwrites any existing values. To automate a
dynamic process for these settings, use the related task sequence variables. For example,
OSDWindowsSettingsInputLocale.

Auto Apply Drivers

Use this step to match and install drivers as part of the OS deployment.

IMPORTANT
Stand-alone media can't use the Auto Apply Drivers step. The task sequence has no connection to the Configuration
Manager site in this scenario.

This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Drivers , and select Auto Apply Drivers .

TIP
For an overview of drivers in Configuration Manager, see Use task sequences to install drivers.
Behaviors for Auto Apply Drivers
The Auto Apply Drivers task sequence step performs the following actions:
1. Scan the hardware and find the plug-and-play IDs for all devices present on the system.
2. Send the list of devices and their plug-and-play IDs to the management point. The management point
returns a list of compatible drivers from the driver catalog for each hardware device. The list includes all
enabled drivers regardless of what driver package they are in, and drivers tagged with the specified driver
category.
3. For each hardware device, the task sequence picks the best driver. This driver is appropriate for the
deployed OS, and is on an accessible distribution point.
4. The task sequence downloads the selected drivers from a distribution point, and stages the drivers on the
target OS.
a. When using an OS image, the task sequence places the drivers into the OS driver store.
b. When using an OS upgrade package as an original installation source, the task sequence configures
Windows Setup with the drivers' location.
5. During the Setup Windows and ConfigMgr step in the task sequence, Windows Setup finds the drivers
staged by this step.
Variables for Auto Apply Drivers
Use the following task sequence variables with this step:
OSDAutoApplyDriverBestMatch
OSDAutoApplyDriverCategoryList
SMSTSDriverRequestConnectTimeOut
SMSTSDriverRequestReceiveTimeOut
SMSTSDriverRequestResolveTimeOut
SMSTSDriverRequestSendTimeOut
Cmdlets for Auto Apply Drivers
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepAutoApplyDriver
New-CMTSStepAutoApplyDriver
Remove-CMTSStepAutoApplyDriver
Set-CMTSStepAutoApplyDriver
Properties for Auto Apply Drivers
On the Proper ties tab for this step, configure the settings described in this section.
Install only the best matched compatible drivers
Specifies that the task sequence step installs only the best matched driver for each hardware device detected.
Install all compatible drivers
The task sequence installs all drivers compatible for each detected hardware device. Windows Setup then
chooses the best driver. This option takes more network bandwidth and disk space. The task sequence downloads
more drivers, but Windows can select a better driver.
Consider drivers from all categories
The task sequence searches all available driver categories for the appropriate device drivers.
Limit driver matching to only consider drivers in selected categories
The task sequence searches in the specified driver categories for the appropriate device drivers.
If you select multiple categories, it returns all matching drivers that are present in any of the categories. It's
equivalent to an OR operation.
Do unattended installation of unsigned drivers on versions of Windows where this is allowed
This option allows Windows to install drivers without a digital signature.

IMPORTANT
This option doesn't apply to operating systems where you can't configure driver signing policy.

Capture Network Settings

Use this step to capture Microsoft network settings from the computer running the task sequence. The task
sequence saves these settings in task sequence variables. These settings override the default settings you
configure on the Apply Network Settings step.
This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Settings , and select Capture Network Settings .
Variables for Capture Network Settings
Use the following task sequence variables with this step:
OSDMigrateAdapterSettings
OSDMigrateNetworkMembership
Cmdlets for Capture Network Settings
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepCaptureNetworkSettings
New-CMTSStepCaptureNetworkSettings
Remove-CMTSStepCaptureNetworkSettings
Set-CMTSStepCaptureNetworkSettings
Properties for Capture Network Settings
On the Proper ties tab for this step, configure the settings described in this section.
Migrate domain and workgroup membership
Captures the domain and workgroup membership information of the destination computer.
Migrate network adapter configuration
Captures the network adapter configuration of the destination computer. It captures the following information:
Global network settings
Number of adapters
The following network settings associated with each adapter: DNS, WINS, IP, and port filters

Capture Operating System Image

This step captures one or more images from a reference computer. The task sequence creates a Windows image
(.wim) file on the specified network share. Then use the Add Operating System Image Package wizard to
import this image into Configuration Manager for image-based OS deployments.
Configuration Manager captures each volume (drive) from the reference computer to a separate image within
the .wim file. If the referenced computer has multiple volumes, the resulting .wim file contains a separate image
for each volume. This step only captures volumes that are formatted as NTFS or FAT32. It skips volumes with
other formats, and USB volumes.
The installed OS on the reference computer must be a version of Windows that Configuration Manager supports.
Use the SysPrep tool to prepare the OS on the reference computer. The installed OS volume and the boot volume
must be the same volume.
Specify an account with write permissions to the selected network share. For more information on the capture
OS image account, see Accounts.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Images , and select Capture Operating System
Image .
Variables for Capture OS Image
Use the following task sequence variables with this step:
OSDCaptureAccount
OSDCaptureAccountPassword
OSDCaptureDestination
OSDImageCreator
OSDImageDescription
OSDImageVersion
OSDTargetSystemRoot
Cmdlets for Capture OS Image
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepCaptureSystemImage
New-CMTSStepCaptureSystemImage
Remove-CMTSStepCaptureSystemImage
Set-CMTSStepCaptureSystemImage
Properties for Capture OS Image
On the Proper ties tab for this step, configure the settings described in this section.
Target
File system path to the location that Configuration Manager uses when storing the captured OS image.
Description
An optional user-defined description of the captured OS image that's stored in the image file.
Version
An optional user-defined version number to assign to the captured OS image. This value can be any combination
of letters and numbers. It's stored in the image file.
Created by
The optional name of the user that created the OS image. It's stored in the image file.
Capture operating system image account
Enter the Windows account that has permissions to the specified network share. Select Set to specify the name
of the Windows account.

Capture User State

This step uses the User State Migration Tool (USMT) to capture user state and settings from the computer
running the task sequence. This task sequence step is used in conjunction with the Restore User State task
sequence step. This step always encrypts the USMT state store by using an encryption key that Configuration
Manager generates and manages.
For more information about managing the user state when deploying operating systems, see Manage user state.
If you want to save and restore user state settings from a state migration point, use this step with the Request
State Store and Release State Store steps.
This step provides control over a limited subset of the most commonly used USMT options. Specify additional
command-line options using the OSDMigrateAdditionalCaptureOptions task sequence variable.
This task sequence step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select User State , and select Capture User State .
Variables for Capture User State
Use the following task sequence variables with this step:
_OSDMigrateUsmtPackageID
OSDMigrateAdditionalCaptureOptions
OSDMigrateConfigFiles
OSDMigrateContinueOnLockedFiles
OSDMigrateEnableVerboseLogging
OSDMigrateMode
OSDMigrateSkipEncryptedFiles
OSDStateStorePath
Cmdlets for Capture User State
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepCaptureUserState
New-CMTSStepCaptureUserState
Remove-CMTSStepCaptureUserState
Set-CMTSStepCaptureUserState
Properties for Capture User State
On the Proper ties tab for this step, configure the settings described in this section.
User state migration tool package
Specify the package that contains the User State Migration Tool (USMT). The task sequence uses this version of
USMT to capture the user state and settings. This package doesn't require a program. Specify a package
containing the 32-bit or 64-bit version of USMT. The architecture of USMT depends upon the architecture of the
OS from which the task sequence is capturing state.
Capture all user profiles with standard options
Migrate all user profile information. This option is the default.
If you select this option, but don't select Restore local computer user profiles in the Restore User State
step, the task sequence fails. Configuration Manager can't migrate the new accounts without assigning them
passwords.
When you use the Install an existing image package option of the New Task Sequence wizard, the
resulting task sequence defaults to Capture all user profiles with standard options . This default task
sequence doesn't select the option to Restore local computer user profiles , or non-domain user accounts.
Select Restore local computer user profiles and provide a password for the account to migrate. In a
manually created task sequence, this setting is found under the Restore User State step. In a task sequence
created by the New Task Sequence wizard, this setting is found under the step Restore User Files and
Settings wizard page.
If you have no local user accounts, this setting doesn't apply.
Customize how user profiles are captured
Select this option to specify a custom profile file for migration. Select Files to select the configuration files for
USMT to use with this step. Specify a custom .xml file that contains rules that define the user state files to
migrate.
Click here to select configuration files
Select this option to select the configuration files in the USMT package you want to use for capturing user
profiles. Select the Files button to launch the Configuration Files dialog box. To specify a configuration file,
enter the name of the file on the Filename line and select the Add button.
Enable verbose logging
Enable this option to generate more detailed log file information. When capturing state, the task sequence by
default generates ScanState.log in the task sequence log folder, %WinDir%\ccm\logs .
Skip files using encrypted file system
Enable this option to skip capturing files encrypted with the Encrypted File System (EFS). These files include user
profile files. Depending on the OS and USMT versions, encrypted files might not be readable after you restore.
For more information, see the USMT documentation.
Copy by using file system access
Enable this option to specify any of the following settings:
Continue if some files cannot be captured : Enable this setting to continue the migration process
even if it can't capture some files. If you disable this option, and a file can't be captured, then this step fails.
This option is enabled by default.
Capture locally by using links instead of by copying files : Enable this setting to use NTFS hard-
links to capture files.
For more information about migrating data using hard-links, see Hard-Link Migration Store.
Capture in off-line mode (Windows PE only) : Enable this setting to capture the user state while in
Windows PE instead of the full OS.
Capture by using Volume Copy Shadow Services (VSS)
This option allows you to capture files even if they're locked for editing by another application.

Capture Windows Settings

Use this step to capture the Windows settings from the computer running the task sequence. The task sequence
saves these settings in task sequence variables. These captured settings override the default settings that you
configure on the Apply Windows Settings step.
This task sequence step runs in either Windows PE or the full OS.
To add this step in the task sequence editor, select Add , select Settings , and select Capture Windows Settings .
Variables for Capture Windows Settings
Use the following task sequence variables with this step:
OSDComputerName
OSDMigrateComputerName
OSDMigrateRegistrationInfo
OSDMigrateTimeZone
 OSDRegisteredOrgName
OSDTimeZone
Cmdlets for Capture Windows Settings
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepCaptureWindowsSettings
New-CMTSStepCaptureWindowsSettings
Remove-CMTSStepCaptureWindowsSettings
Set-CMTSStepCaptureWindowsSettings
Properties for Capture Windows Settings
On the Proper ties tab for this step, configure the settings described in this section.
Migrate computer name
Capture the NetBIOS computer name of the computer.
Migrate registered user and organization names
Capture the registered user and organization names from the computer.
Migrate time zone
Capture the time zone setting on the computer.

Check Readiness
Use this step to verify that the target computer meets the specified deployment prerequisite conditions.
To add this step in the task sequence editor, select Add , select General , and select Check Readiness .
Starting in version 2002, this step includes eight new checks. None of these new checks are selected by default in
new or existing instances of the step. For more information on each check, see the specific sections below.
Architecture of current OS
Minimum OS version
Maximum OS version
Minimum client version
Language of current OS
AC power plugged in
Network adapter connected
Network adapter is not wireless
Starting in version 2006, this step includes includes a check to determine if the device uses UEFI, Computer is
in UEFI mode .

IMPORTANT
To take advantage of this new Configuration Manager feature, after you update the site, also update clients to the latest
version. While new functionality appears in the Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

The smsts.log includes the outcome of all checks. If one check fails, the task sequence engine continues to
evaluate the other checks. The step doesn't fail until all checks are complete. If at least one check fails, the step
fails, and it returns error code 4316 . This error code translates to "The resource required for this operation does
not exist."
Variables for Check Readiness
Use the following task sequence variables with this step:
_TS_CRMEMORY
_TS_CRSPEED
_TS_CRDISK
_TS_CROSTYPE
_TS_CRARCH (starting in version 2002)
_TS_CRMINOSVER (starting in version 2002)
_TS_CRMAXOSVER (starting in version 2002)
_TS_CRCLIENTMINVER (starting in version 2002)
_TS_CROSLANGUAGE (starting in version 2002)
_TS_CRACPOWER (starting in version 2002)
_TS_CRNETWORK (starting in version 2002)
_TS_CRUEFI (starting in version 2006)
_TS_CRWIRED (starting in version 2002)
Cmdlets for Check Readiness
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepPrestartCheck
New-CMTSStepPrestartCheck
Remove-CMTSStepPrestartCheck
Set-CMTSStepPrestartCheck
Properties for Check Readiness
On the Proper ties tab for this step, configure the settings described in this section.
Minimum memory (MB)
Verify that the amount of memory, in megabytes (MB), meets or exceeds the specified amount. The step enables
this setting by default.
Minimum processor speed (MHz)
Verify that the speed of the processor, in megahertz (MHz), meets or exceeds the specified amount. The step
enables this setting by default.
Minimum free disk space (MB)
Verify that the amount of free disk space, in megabytes (MB), meets or exceeds the specified amount.
Current OS to be refreshed is
Verify that the OS installed on the target computer meets the specified requirement. The step sets this setting to
CLIENT by default.
Architecture of current OS
Starting in version 2002, verify whether the current OS is 32-bit or 64-bit .
Minimum OS version
Starting in version 2002, verify that the current OS is running a version later than specified. Specify the version
with major version, minor version, and build number. For example, 10.0.16299 .
Maximum OS version
Starting in version 2002, verify that the current OS is running a version earlier than specified. Specify the version
with major version, minor version, and build number. For example, 10.0.18356 .
Minimum client version
Starting in version 2002, verify that the Configuration Manager client version is at least the specified version.
Specify the client version in the following format: 5.00.8913.1005 .
Language of current OS
Starting in version 2002, verify that the current OS language matches what you specify. Select the language
name, and the step compares the associated language code. This check compares the language that you select to
the OSLanguage property of the Win32_OperatingSystem WMI class on the client.
AC power plugged in
Starting in version 2002, verify that the device is plugged in and not on battery.
Network adapter connected
Starting in version 2002, verify that the device has a network adapter that's connected to the network. You can
also select the dependent check to verify that the Network adapter is not wireless .
Computer is in UEFI mode
Starting in version 2006, determine whether the device is configured for UEFI or BIOS.
Options for Check Readiness

NOTE
If you enable the Continue on error setting on the Options tab of this step, it only logs the readiness check results. If a
check fails, the task sequence doesn't stop.

Connect To Network Folder

Use this step to create a connection to a shared network folder.
This task sequence step runs in the full OS or Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Connect To Network
Folder .
Variables for Connect To Network Folder
Use the following task sequence variables with this step:
SMSConnectNetworkFolderAccount
SMSConnectNetworkFolderDriveLetter
SMSConnectNetworkFolderPassword
SMSConnectNetworkFolderPath
Cmdlets for Connect To Network Folder
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepConnectNetworkFolder
New-CMTSStepConnectNetworkFolder
Remove-CMTSStepConnectNetworkFolder
Set-CMTSStepConnectNetworkFolder
Properties for Connect To Network Folder
On the Proper ties tab for this step, configure the settings described in this section.
Path
Select Browse to specify the network folder path. Use the format \\server\share .
Drive
Select the local drive letter to assign for this connection.
Account
Select Set to specify the user account with permissions to connect to this network folder. For more information
on the task sequence network folder connection account, see Accounts.

Disable BitLocker
Use this step to disable BitLocker encryption on the current OS drive, or on a specific drive. This action leaves the
key protectors visible in clear text on the hard drive. It doesn't decrypt the contents of the drive. This action
completes almost instantly.

NOTE
BitLocker drive encryption provides low-level encryption of the contents of a disk volume.

If you have multiple encrypted drives, disable BitLocker on any data drives before disabling BitLocker on the OS
drive.
This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Disks , and select Disable BitLocker .
Variables for Disable BitLocker
Starting in version 1906, use the following task sequence variables with this step:
OSDBitLockerRebootCount
OSDBitLockerRebootCountOverride
Cmdlets for Disable BitLocker
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepDisableBitLocker
New-CMTSStepDisableBitLocker
Remove-CMTSStepDisableBitLocker
Set-CMTSStepDisableBitLocker
Properties for Disable BitLocker
On the Proper ties tab for this step, configure the settings described in this section.
Current operating system drive
Disables BitLocker on the current OS drive.
Specific drive
Disables BitLocker on a specific drive. Use the drop-down list to specify the drive where BitLocker is disabled.
Resume protection after Windows has been restarted the specified number of times
Starting in version 1906, use this option to specify the number of restarts to keep BitLocker disabled. Instead of
adding multiple instances of this step, set a value between 1 (default) and 15.
You can set and modify this behavior with the task sequence variables OSDBitLockerRebootCount and
OSDBitLockerRebootCountOverride.

Download Package Content

Use this step to download any of the following package types:
OS images
OS upgrade packages
Driver packages
 Packages
Boot images Note 1
This step works well in a task sequence to upgrade an OS in the following scenarios:
To use a single upgrade task sequence that can work with both x86 and x64 platforms. Include two
Download Package Content steps in the Prepare for Upgrade group. Specify conditions on the
Options tab to detect the client architecture, and download only the appropriate OS upgrade package.
Configure each Download Package Content step to use the same variable. Use the variable for the
media path on the Upgrade Operating System step.
To dynamically download an applicable driver package, use two Download Package Content steps with
conditions to detect the appropriate hardware type for each driver package. Configure each Download
Package Content step to use the same variable. Use the variable for the Staged content value in the
Drivers section of the Upgrade Operating System step.

NOTE
When you deploy a task sequence that contains this step, don't select Download all content locally before star ting
the task sequence or Access content directly from a distribution point for Deployment options on the
Distribution Points page of the Deploy Software Wizard.

This step runs in either the full OS or Windows PE. The option to save the package in the Configuration Manager
client cache isn't supported in Windows PE.

NOTE
The Download Package Content task isn't supported for use with stand-alone media. For more information, see
Unsupported actions for stand-alone media.

To add this step in the task sequence editor, select Add , select Software , and select Download Package
Content .
Cmdlets for Download Package Content
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepDownloadPackageContent
New-CMTSStepDownloadPackageContent
Remove-CMTSStepDownloadPackageContent
Set-CMTSStepDownloadPackageContent
Properties for Download Package Content
On the Proper ties tab for this step, configure the settings described in this section.
Select package
Select the icon to choose the package to download. After you choose one package, select the icon again to
choose another package.
Place into the following location
Choose to save the package in one of the following locations:
Task sequence working director y : This location is also referred to as the task sequence cache.
Configuration Manager client cache : Use this option to store the content in the client cache. By
default, this path is %WinDir%\ccmcache .
 Custom path : The task sequence engine first downloads the package to the task sequence working
directory. It then moves the content to this path you specify. The task sequence engine appends the path
with the package ID.
Save path as a variable
Save the package's path into a custom task sequence variable. Then use this variable in another task sequence
step.
Configuration Manager adds a numerical suffix to the variable name. For example, you specify a variable of
%MyContent% as a custom variable. It's the root for where the task sequence stores all referenced content for this
step. This content may contain multiple packages. When you refer to the variable, add a numerical suffix. For the
first package, refer to %MyContent01% . When you refer to the variable in subsequent steps, such as Upgrade
Operating System , use %MyContent02% or %MyContent03% , where the number corresponds to the order that the
Download Package Content step lists the packages.
If a package download fails, continue downloading other packages in the list
If the task sequence fails to download a package, it starts to download the next package in the list.
Note 1: Use of boot images in the Download Package Content step
Applies to version 1910 and later
If you configure the task sequence properties to Use a boot image , then adding a boot image to this step is
redundant. Only add a boot image to this step if it's not specified on the properties of the task sequence.
Example use case
A single task sequence to pre-download content:
No associated boot image.
Runs only in the full OS, likely without user interaction.
Uses multiple Download Package Content steps with conditions. Depending upon the specific
language and architecture, it downloads content to the client cache to prepare for the OS deployment
task sequence.
There's only one instance of this task sequence, with all of the possible content options.
Multiple OS deployment task sequences:
A normal OS deployment task sequence.
Has a boot image referenced in its properties.
There are multiple instances of this task sequence, with different boot images as needed by
architecture and language

Enable BitLocker
BitLocker drive encryption provides low-level encryption of the contents of a disk volume. Use this step to enable
BitLocker encryption on at least two partitions on the hard drive. The first active partition contains the Windows
bootstrap code. Another partition contains the OS. The bootstrap partition must remain unencrypted.
To enable BitLocker on a drive while in Windows PE, use the Pre-provision BitLocker step.
This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Disks , and select Enable BitLocker .
When you specify TPM Only , TPM and Star tup Key on USB , or TPM and PIN , the Trusted Platform Module
(TPM) must be in the following state before you can run the Enable BitLocker step:
Enabled
Activated
 Ownership Allowed
Starting in version 2006, you can skip this step for computers that don't have a TPM or when the TPM isn't
enabled. A new setting makes it easier to manage the task sequence behavior on devices that can't fully support
BitLocker.
This step completes any remaining TPM initialization. The remaining actions don't require physical presence or
reboots. The Enable BitLocker step transparently completes the following remaining TPM initialization actions,
if necessary:
Create endorsement key pair
Create owner authorization value and escrow to Active Directory, which must have been extended to support
this value
Take ownership
Create the storage root key, or reset if already present but incompatible
If you want the task sequence to wait for the Enable BitLocker step to complete the drive encryption process,
then select the Wait option. If you don't select the Wait option, the drive encryption process happens in the
background. The task sequence immediately proceeds to the next step.
BitLocker can be used to encrypt multiple drives on a computer system, both OS and data drives. To encrypt a
data drive, first encrypt the OS drive and complete the encryption process. This requirement is because the OS
drive stores the key protectors for the data drives. If you encrypt the OS and data drives in the same task
sequence, select the Wait option on the Enable BitLocker step for the OS drive.
If the hard drive is already encrypted, but BitLocker is disabled, then the Enable BitLocker step re-enables the
key protectors and completes quickly. Re-encryption of the hard drive isn't necessary in this case.
Variables for Enable BitLocker
Use the following task sequence variables with this step:
OSDBitLockerRecoveryPassword
OSDBitLockerStartupKey
Cmdlets for Enable BitLocker
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepEnableBitLocker
New-CMTSStepEnableBitLocker
Remove-CMTSStepEnableBitLocker
Set-CMTSStepEnableBitLocker
Properties for Enable BitLocker
On the Proper ties tab for this step, configure the settings described in this section.
Choose the drive to encrypt
Specifies the drive to encrypt. To encrypt the current OS drive, select Current operating system drive . Then
configure one of the following options for key management:
TPM only : Select this option to use only Trusted Platform Module (TPM).
Star tup Key on USB only : Select this option to use a startup key stored on a USB flash drive. When you
select this option, BitLocker locks the normal boot process until a USB device that contains a BitLocker
startup key is attached to the computer.
TPM and Star tup Key on USB : Select this option to use TPM and a startup key stored on a USB flash
drive. When you select this option, BitLocker locks the normal boot process until a USB device that
 contains a BitLocker startup key is attached to the computer.
TPM and PIN : Select this option to use TPM and a personal identification number (PIN). When you select
this option, BitLocker locks the normal boot process until the user provides the PIN.
To encrypt a specific, non-OS data drive, select Specific drive . Then select the drive from the list.
Disk encryption mode
Starting in version 2006, select one of the following encryption algorithms:
AES_128
AES_256
XTS_AES256
XTS_AES128
By default or if not specified, the step continues to use the default encryption method for the OS version. If the
step runs on a version of Windows that doesn't support the specified algorithm, it falls back to the OS default. In
this circumstance, the task sequence engine sends status message 11911.
Use full disk encryption
By default, this step only encrypts used space on the drive. This default behavior is recommended, as it's faster
and more efficient. If your organization requires encrypting the entire drive during setup, then enable this option.
Windows Setup waits for the entire drive to encrypt, which takes a long time, especially on large drives.

TIP
Starting in version 1910, you can create and deploy BitLocker management policies, which use full disk encryption. To
manage BitLocker on devices after the task sequence deploys the OS, enable this option. For more information, see Plan
for BitLocker management.

Choose where to create the recovery key

To specify for BitLocker to create the recovery password and escrow it in Active Directory, select In Active
Director y . This option requires that you extend Active Directory for BitLocker key escrow. BitLocker can then
save the associated recovery information in Active Directory. Select Do not create recover y key to not create
a password. Creating a password is the recommended option.
Wait for BitLocker to complete the drive encryption process on all drives before continuing task sequence execution
Select this option to allow BitLocker drive encryption to complete prior to running the next step in the task
sequence. If you select this option, BitLocker encrypts the entire disk volume before the user is able to sign in to
the computer.
The encryption process can take hours to complete when encrypting a large hard drive. Not selecting this option
allows the task sequence to proceed immediately.
Skip this step for computers that do not have a TPM or when TPM is not enabled
Starting in version 2006, select this option to skip drive encryption on a computer that doesn't contain a
supported or enabled TPM. For example, use this option when you deploy an OS to a virtual machine. By default,
this setting is disabled for the Enable BitLocker step. If you enable this setting, and the device doesn't have a
functional TPM, the task sequence engine logs an error to smsts.log and sends status message 11912. The task
sequence continues past this step.

Format and Partition Disk

Use this step to format and partition a specified disk on the destination computer.
 IMPORTANT
Every setting you specify for this step applies to a single specified disk. To format and partition another disk on the
destination computer, add an additional Format and Par tition Disk step to the task sequence.

This step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Disks , and select Format and Par tition Disk .
Variables for Format and Partition Disk
Use the following task sequence variables with this step:
OSDDiskIndex
OSDGPTBootDisk
OSDPartitions
OSDPartitionStyle
Cmdlets for Format and Partition Disk
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepPartitionDisk
New-CMTSStepPartitionDisk
Remove-CMTSStepPartitionDisk
Set-CMTSStepPartitionDisk
Properties for Format and Partition Disk
On the Proper ties tab for this step, configure the settings described in this section.
Disk Number
The physical disk number of the disk to format. The number is based on Windows disk enumeration ordering.
Variable name to store disk number
Starting in version 2006, use a task sequence variable to specify the target disk to format. This variable option
supports more complex task sequences with dynamic behaviors. For example, a custom script can detect the disk
and set the variable based on the hardware type. Then you can use multiple instances of this step to configure
different hardware types and partitions.
If you select this property, enter a custom variable name. Add an earlier step in the task sequence to set the value
of this custom variable to an integer value for the physical disk.
The following mock steps show one example:
Run PowerShell Script : a custom script to collect target disks
Sets myOSDisk to 1
Sets myDataDisk to 2
Format and Par tition Disk for OS disk: specifies myOSDisk variable
Configures disk 1 as the system disk
Format and Par tition Disk for data disk: specifies myDataDisk variable
Configures disk 2 for raw storage
A variation of this example uses disk numbers and partitioning plans for different hardware types.
 NOTE
You can still use the existing task sequence variable OSDDiskIndex. However, each instance of the Format and
Par tition Disk step uses the same index value. If you want to programmatically set the disk number for multiple
instances of this step, use this variable property.

Disk Type
The type of the disk to format. There are two options to select from the drop-down list:
Standard (MBR) : Master Boot Record
GPT : GUID Partition Table

NOTE
If you change the disk type from Standard (MBR) to GPT , and the partition layout contains an extended partition, the
task sequence removes all extended and logical partitions from the layout. The task sequence editor prompts to confirm
this action before changing the disk type.

Volume
Specific information about the partition or volume that the task sequence creates, including the following
attributes:
Name
Remaining disk space
To create a new partition, select New to launch the Par tition Proper ties dialog box. Specify the partition type
and size, and if it's a boot partition. To modify an existing partition, select the partition to be modified, and then
select the Proper ties button. For more information about how to configure hard drive partitions, see one of the
following articles:
UEFI/GPT-based hard drive partitions
BIOS/MBR-based hard drive partitions
To delete a partition, choose the partition, and then select Delete .

Install Application
This step installs the specified applications, or a set of applications defined by a dynamic list of task sequence
variables. When the task sequence runs this step, the application installation begins immediately without waiting
for a policy polling interval.
The applications must meet the following criteria:
The application must have a deployment type of Windows Installer or Script installer. Windows app
package (.appx file) deployment types aren't supported.
It must run under the Local System account and not the user account.
It must not interact with the desktop. The program must run silently or in an unattended mode.
It must not initiate a restart on its own. The application must request a restart by using the standard
restart code, 3010. This behavior makes sure that this step correctly handles the restart. If the application
returns a 3010 exit code, the task sequence engine restarts the computer. After the restart, the task
sequence automatically continues.
 NOTE
If the application checks for running executable files, the task sequence will fail to install it. If you don't configure this step
to continue on error, then the entire task sequence fails.

When this step runs, the application checks the applicability of the requirement rules and detection method on its
deployment types. Based on the results of this check, the application installs the applicable deployment type. If a
deployment type contains dependencies, the dependent deployment type is evaluated and installed as part of
this step. Application dependencies aren't supported for stand-alone media.

NOTE
To install an application that supersedes another application, the content files for the superseded application must be
available. Otherwise this task sequence step fails. For example, Microsoft Visio 2010 is installed on a client or in a captured
image. When the Install Application step installs Microsoft Visio 2013, the content files for Microsoft Visio 2010 (the
superseded application) must be available on a distribution point. If Microsoft Visio isn't installed at all on a client or
captured image, the task sequence installs Microsoft Visio 2013 without checking for the Microsoft Visio 2010 content
files.
If you retire a superseded app, and the new app is referenced in a task sequence, the task sequence fails to start. This
behavior is by design: the task sequence requires all app references.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Software , and select Install Application .
Variables for Install Application
Use the following task sequence variables with this step:
_TSAppInstallStatus
SMSTSMPListRequestTimeoutEnabled
SMSTSMPListRequestTimeout
TSErrorOnWarning

NOTE
If the client fails to retrieve the management point list from location services, use the
SMSTSMPListRequestTimeoutEnabled and SMSTSMPListRequestTimeout task sequence variables. These variables
specify how many milliseconds a task sequence waits before it retries installing an application. For more information, see
Task sequence variables.

Cmdlets for Install Application

Manage this step with the following PowerShell cmdlets:
Get-CMTSStepInstallApplication
New-CMTSStepInstallApplication
Remove-CMTSStepInstallApplication
Set-CMTSStepInstallApplication
Properties for Install Application
On the Proper ties tab for this step, configure the settings that are described in this section.
Install the following applications
The task sequence installs these applications in the specified order.
Configuration Manager filters out any disabled applications, or any applications with the following settings:
Only when a user is logged on
Run with user rights
These applications don't appear in the Select the application to install dialog box.
Install applications according to dynamic variable list
The task sequence installs applications using this base variable name. The base variable name is for a set of task
sequence variables defined for a collection or computer. These variables specify the applications that the task
sequence installs for that collection or computer. Each variable name consists of its common base name plus a
numerical suffix starting at 01. The value for each variable must contain the name of the application and nothing
else.
For the task sequence to install applications by using a dynamic variable list, enable the following setting on the
General tab of the application Proper ties : Allow this application to be installed from the Install
Application task sequence action instead of deploying manually .

NOTE
You can't install applications by using a dynamic variable list for stand-alone media deployments.

For example, to install a single application by using a task sequence variable called AA01, specify the following
variable:

VA RIA B L E N A M E VA RIA B L E VA L UE

AA01 Microsoft Office

To install two applications, specify the following variables:

VA RIA B L E N A M E VA RIA B L E VA L UE

AA01 Microsoft Lync

AA02 Microsoft Office

The following conditions affect the applications installed by the task sequence:
If the value of a variable contains any information other than the name of the application. The task
sequence doesn't install the application, and the task sequence continues.
If the task sequence doesn't find a variable with the specified base name and "01" suffix, the task sequence
doesn't install any applications.

IMPORTANT
These values are case-sensitive. For example, "install" is different than "Install". If you need to change the value, the task
sequence editor doesn't detect a change of case. Make another edit at the same time, for example, modify the step
description.

If an application fails, continue installing other applications in the list

This setting specifies that the step continues when an individual application installation fails. If you specify this
setting, the task sequence continues regardless of any installation errors. If you don't specify this setting, and the
installation fails, the step immediately ends.
Clear application content from cache after installing
Starting in version 1906, delete the app content from the client cache after the step runs. This behavior is
beneficial on devices with small hard drives or when installing lots of large apps in succession.
Options for Install Application

NOTE
When you select Continue on error on the Options tab of this step, the task sequence continues when an application
fails to install. When you don't enable this option, the task sequence fails, and doesn't install remaining applications.

Besides the default options, configure the following additional settings on the Options tab of this task sequence
step:
Retry this step if computer unexpectedly restarts
If one of the application installations unexpectedly restarts the computer, retry this step. The step enables this
setting by default with two retries. You can specify from one to five retries.

Install Package
Use this step to install a software package as part of the task sequence. When this step runs, the installation
begins immediately without waiting for a policy polling interval.
The package must meet the following criteria:
It must run under the Local System account and not a user account.
It shouldn't interact with the desktop. The program must run silently or in an unattended mode.
It must not initiate a restart on its own. The software must request a restart using the standard restart
code, 3010. This behavior makes sure that the task sequence properly handles the restart. If the software
does return a 3010 exit code, the task sequence engine restarts the computer. After the restart, the task
sequence automatically continues.
Programs that use the Run another program first option to install a dependent program aren't supported
when deploying an OS. If you enable the package option Run another program first , and the dependent
program already ran on the destination computer, the dependent program runs and the task sequence continues.
However, if the dependent program hasn't already run on the destination computer, the task sequence step fails.

NOTE
The central administration site doesn't have the necessary client configuration policies required to enable the software
distribution agent during the task sequence. When you create stand-alone media for a task sequence at the central
administration site, and the task sequence includes an Install Package step, the following error might appear in the
CreateTsMedia.log file:
"WMI method SMS_TaskSequencePackage.GetClientConfigPolicies failed (0x80041001)"

For stand-alone media that includes an Install Package step, create the stand-alone media at a primary site that has the
software distribution agent enabled. Alternatively, add a Run Command Line step after the Setup Windows and
ConfigMgr step and before the first Install Package step. The Run Command Line step runs a WMIC command to
enable the software distribution agent before the first Install Package step. Use the following command in the Run
Command Line step:
WMIC /namespace:\\\root\ccm\policy\machine\requestedconfig path ccm_SoftwareDistributionClientConfig
CREATE ComponentName="Enable SWDist", Enabled="true", LockSettings="TRUE", PolicySource="local",
PolicyVersion="1.0", SiteSettingsKey="1" /NOINTERACTIVE

For more information about creating stand-alone media, see Create stand-alone media.
This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Software , and select Install Package .
Variables for Install Package
Use the following task sequence variables with this step:
OSDDoNotLogCommand
Cmdlets for Install Package
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepInstallSoftware
New-CMTSStepInstallSoftware
Remove-CMTSStepInstallSoftware
Set-CMTSStepInstallSoftware

TIP
Use content pre-caching to download an applicable OS upgrade package before a user installs the task sequence. For
more information, see Configure pre-cache content.

Properties for Install Package

On the Proper ties tab for this step, configure the settings described in this section.
Install a single software package
This setting specifies a Configuration Manager software package. The step waits until the installation completes.
Install software packages according to dynamic variable list
The task sequence installs packages using this base variable name. The base variable name is for a set of task
sequence variables defined for a collection or computer. These variables specify the packages that the task
sequence installs for that collection or computer. Each variable name consists of its common base name plus a
numerical suffix starting at 001. The value for each variable must contain a package ID and the name of the
software separated by a colon.
For the task sequence to install software by using a dynamic variable list, enable the following setting on the
Advanced tab of the package Proper ties : Allow this program to be installed from the Install Package
task sequence without being deployed .

NOTE
You can't install software packages by using a dynamic variable list for stand-alone media deployments.

For example, to install a single software package by using a task sequence variable called AA001, you specify the
following variable:

VA RIA B L E N A M E VA RIA B L E VA L UE

AA001 CEN00054:Install

To install three software packages, you would specify the following variables:
 VA RIA B L E N A M E VA RIA B L E VA L UE

AA001 CEN00054:Install

AA002 CEN00107:Install Silent

AA003 CEN00031:Install

The following conditions affect the packages installed by the task sequence:
If you don't create the value of a variable in the correct format, or it doesn't specify a valid package ID and
name, the software installation fails.
If the package ID contains lowercase characters, the software installation fails.
If the task sequence doesn't find a variable with the specified base name and "001" suffix, the task
sequence doesn't install any packages. The task sequence continues.

IMPORTANT
These values are case-sensitive. For example, "install" is different than "Install". If you need to change the value, the task
sequence editor doesn't detect a change of case. Make another edit at the same time, for example, modify the step
description.

If installation of a software package fails, continue installing other packages in the list
This setting specifies that the step continues if an individual software package installation fails. If you specify this
setting, the task sequence continues regardless of any installation errors. If you don't specify this setting, and the
installation fails, the step immediately ends.

Install Software Updates

Use this step to install software updates on the destination computer. The destination computer isn't evaluated
for applicable software updates until this task sequence step runs. At that time, the destination computer is
evaluated for software updates like any other Configuration Manager client. For this step to install software
updates, first deploy the updates to a collection of which the target computer is a member.

IMPORTANT
For best performance, install the latest version of the Windows Update Agent.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Software , and select Install Software Updates .
Variables for Install Software Updates
Use the following task sequence variables with this step:
SMSInstallUpdateTarget
SMSTSMPListRequestTimeoutEnabled
SMSTSMPListRequestTimeout
SMSTSSoftwareUpdateScanTimeout
SMSTSWaitForSecondReboot
 NOTE
If the client fails to retrieve the management point list from location services, use the
SMSTSMPListRequestTimeoutEnabled and SMSTSMPListRequestTimeout variables. These variables specify how
many milliseconds a task sequence waits before it retries installing an application or software update. For more
information, see Task sequence variables.

Cmdlets for Install Software Updates

Manage this step with the following PowerShell cmdlets:
Get-CMTSStepInstallUpdate
New-CMTSStepInstallUpdate
Remove-CMTSStepInstallUpdate
Set-CMTSStepInstallUpdate
For more recommendations and a technical flow chart diagram for this step, see Install Software Updates.
Properties for Install Software Updates
On the Proper ties tab for this step, configure the settings described in this section.
Required for installation - Mandatory software updates only
Select this option to install all mandatory software updates with administrator-defined installation deadlines.
Available for installation - All software updates
Select this option to install all available software updates. First deploy these updates to a collection of which the
computer is a member. The task sequence installs all available software updates on the destination computers.
Evaluate software updates from cached scan results
By default, this step uses cached scan results from the Windows Update Agent. Disable this option to instruct the
Windows Update Agent to download the latest catalog from the software update point. Enable this option when
using a task sequence to capture and build an OS image. A large number of software updates is likely in this
scenario.
Many of these updates have dependencies. For example, install update ABC before update XYZ appears as
applicable. When you disable this setting, and deploy the task sequence to many clients, they all connect to the
software update point at the same time. This behavior results in performance issues during the process and
download of the update catalog.
In most circumstances, use the default setting to use cached scan results.
The SMSTSSoftwareUpdateScanTimeout variable controls the software updates scan timeout during this
step. The default value is 60 minutes. For more information, see Task sequence variables.
Options for Install Software Updates
Besides the default options, configure the following additional settings on the Options tab of this task sequence
step:
Retry this step if computer unexpectedly restarts
If one of the updates unexpectedly restarts the computer, retry this step. The step enables this setting by default
with two retries. You can specify from one to five retries.

NOTE
Configure the SMSTSWaitForSecondReboot variable to specify how many seconds the task sequence pauses after the
computer restarts in this scenario. For more information, see Task sequence variables.
Join Domain or Workgroup
Use this step to add the destination computer to a workgroup or domain.

NOTE
When an Azure Active Directory (Azure AD)-joined client runs an OS deployment task sequence, the client in the new OS
won't automatically join Azure AD. Even though it's not Azure AD-joined, the client is still managed.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Join Domain or
Workgroup .
Variables for Join Domain or Workgroup
Use the following task sequence variables with this step:
OSDJoinAccount
OSDJoinDomainName
OSDJoinDomainOUName
OSDJoinPassword
OSDJoinSkipReboot
OSDJoinType
OSDJoinWorkgroupName
Cmdlets for Join Domain or Workgroup
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepJoinDomainWorkgroup
New-CMTSStepJoinDomainWorkgroup
Remove-CMTSStepJoinDomainWorkgroup
Set-CMTSStepJoinDomainWorkgroup
Properties for Join Domain or Workgroup
On the Proper ties tab for this step, configure the settings described in this section.
Join a workgroup
Select this option to have the destination computer join the specified workgroup. If the computer is currently a
member of a domain, selecting this option causes the computer to reboot.
Join a domain
Select this option to have the destination computer join the specified domain.
Optionally, enter or browse for an organizational unit (OU) in the specified domain for the computer to join. If the
computer is currently a member of some other domain or a workgroup, this option causes the computer to
reboot. If the computer is already a member of another OU, since Active Directory Domain Services doesn't allow
changing the OU via this method, Windows Setup ignores this setting.
Enter the account which has permission to join the domain
Select Set to enter the username and password for an account with permissions to join the domain. Enter the
account in the format: Domain\account . For more information on the task sequence domain joining account, see
Accounts.

Prepare ConfigMgr Client for Capture

Use this step to remove or configure the Configuration Manager client on the reference computer. This action
prepares the computer for capture as part of the imaging process.
This step completely removes the Configuration Manager client, instead of only removing key information. When
the task sequence deploys the captured OS image, it installs a new Configuration Manager client each time.

NOTE
The task sequence engine only removes the client during the Build and capture a reference operating system
image task sequence. The task sequence engine doesn't remove the client during other capture methods, such as capture
media or a custom task sequence.

This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Images , and select Prepare ConfigMgr Client
for Capture .
Cmdlets for Prepare ConfigMgr Client for Capture
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepPrepareConfigMgrClient
New-CMTSStepPrepareConfigMgrClient
Remove-CMTSStepPrepareConfigMgrClient
Set-CMTSStepPrepareConfigMgrClient

Prepare Windows for Capture

Use this step to specify the Sysprep options when capturing an OS image on the reference computer. This step
runs Sysprep, and then reboots the computer into the Windows PE boot image specified for the task sequence.
This action fails if the reference computer is joined to a domain.
This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Images , and select Prepare Windows for
Capture .
Variables for Prepare Windows for Capture
Use the following task sequence variables with this step:
OSDKeepActivation
OSDTargetSystemRoot
Cmdlets for Prepare Windows for Capture
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepPrepareWindows
New-CMTSStepPrepareWindows
Remove-CMTSStepPrepareWindows
Set-CMTSStepPrepareWindows
Properties for Prepare Windows for Capture
On the Proper ties tab for this step, configure the settings described in this section.
Automatically build mass storage driver list
Select this option to have Sysprep automatically build a list of mass storage drivers from the reference computer.
This option enables the Build Mass Storage Drivers option in the sysprep.inf file on the reference computer. For
more information about this setting, see the Sysprep documentation.
Do not reset activation flag
Select this option to prevent Sysprep from resetting the product activation flag.
Shutdown the computer after running this action
This option instructs Sysprep to shutdown the computer instead of its default restart behavior.
The Windows Autopilot for existing devices task sequence uses this step with this option.
If you want the task sequence to refresh the device and then immediately start OOBE for Autopilot, leave
this option off.
Enable this option to shutdown the device after imaging. Then you can deliver the device to a user, who
starts OOBE with Autopilot when they turn it on for the first time.

Pre-provision BitLocker
Use this step to enable BitLocker on a drive while in Windows PE. By default, only the used drive space is
encrypted, so encryption times are much faster. You apply the key management options by using the Enable
BitLocker step after the OS installs.

IMPORTANT
Pre-provisioning BitLocker requires that the computer has a supported and enabled Trusted Platform Module (TPM).

This step runs only in Windows PE. It doesn't run in the full OS.
To add this step in the task sequence editor, select Add , select Disks , and select Pre-provision BitLocker .
Cmdlets for Pre -provision BitLocker
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepOfflineEnableBitLocker
New-CMTSStepOfflineEnableBitLocker
Remove-CMTSStepOfflineEnableBitLocker
Set-CMTSStepOfflineEnableBitLocker
Properties for Pre -provision BitLocker
On the Proper ties tab for this step, configure the settings described in this section.
Apply BitLocker to the specified drive
Specify the drive for which you want to enable BitLocker. BitLocker only encrypts the used space on the drive.
Disk encryption mode
Starting in version 2006, select one of the following encryption algorithms:
AES_128
AES_256
XTS_AES256
XTS_AES128
By default or if not specified, the step continues to use the default encryption method for the OS version. If the
step runs on a version of Windows that doesn't support the specified algorithm, it falls back to the OS default. In
this circumstance, the task sequence engine sends status message 11911.
Use full disk encryption
By default, this step only encrypts used space on the drive. This default behavior is recommended, as it's faster
and more efficient. If your organization requires encrypting the entire drive during setup, then enable this option.
Windows Setup waits for the entire drive to encrypt, which takes a long time, especially on large drives.
Skip this step for computers that do not have a TPM or when TPM is not enabled
Select this option to skip drive encryption on a computer that doesn't contain a supported or enabled TPM. For
example, use this option when you deploy an OS to a virtual machine. By default, this setting is enabled for the
Pre-provision BitLocker step. The step fails on a device without a TPM or a TPM that doesn't initialize. Starting
in version 2006, if the device doesn't have a functional TPM, the task sequence engine logs a warning to
smsts.log and sends status message 11912.

Release State Store

Use this step to notify the state migration point that the capture or restore action is complete. Use this step in
conjunction with the Request State Store , Capture User State , and Restore User State steps. You use these
steps to migrate user state data using a state migration point and the User State Migration Tool (USMT).
For more information about managing the user state when deploying operating systems, see Manage user state.
If you use the Request State Store step to request access to a state migration point to capture user state, this
step notifies the state migration point that the capture process is complete. The state migration point then marks
the user state data as available for restore. The state migration point sets the access control permissions for the
user state data so that only the restoring computer has read-only access.
If you use the Request State Store step to request access to a state migration point to restore user state, this
step notifies the state migration point that the restore process is complete. The state migration point then
activates its configured data retention settings.

IMPORTANT
Set the Continue on Error option for any steps between the Request State Store and Release State Store steps.
Every Request State Store step must have a matching Release State Store step.

This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select User State , and select Release State Store .
Variables for Release State Store
Use the following task sequence variables with this step:
OSDStateStorePath
Cmdlets for Release State Store
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepReleaseStateStore
New-CMTSStepReleaseStateStore
Remove-CMTSStepReleaseStateStore
Set-CMTSStepReleaseStateStore
Properties for Release State Store
This step doesn't require any settings on the Proper ties tab.

Request State Store

Use this step to request access to a state migration point when capturing or restoring state.
For more information about managing the user state when deploying operating systems, see Manage user state.
Use this step in conjunction with the Release State Store , Capture User State , and Restore User State
steps. You use these steps to migrate computer state using a state migration point and the User State Migration
Tool (USMT).

NOTE
When creating a new state migration point, user state storage isn't available for up to one hour. To expedite availability,
adjust any property settings on the state migration point to trigger a site control file update.

This step runs in the full OS and in Windows PE for offline USMT.
To add this step in the task sequence editor, select Add , select User State , and select Request State Store .
Variables for Request State Store
Use the following task sequence variables with this step:
OSDStateFallbackToNAA
OSDStateSMPRetryCount
OSDStateSMPRetryTime
OSDStateStorePath
Cmdlets for Request State Store
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepRequestStateStore
New-CMTSStepRequestStateStore
Remove-CMTSStepRequestStateStore
Set-CMTSStepRequestStateStore
Properties for Request State Store
On the Proper ties tab for this step, configure the settings described in this section.
Capture state from the computer
Find a state migration point that meets the minimum requirements as configured in the state migration point
settings. For example, Maximum number of clients and Minimum amount of free disk space . This option
doesn't guarantee sufficient space is available at the time of state migration. This option requests access to the
state migration point for the purpose of capturing the user state and settings from a computer.
If the Configuration Manager site has multiple active state migration points, this step finds a state migration
point with available disk space. The task sequence queries the management point for a list of state migration
points, and then evaluates each until it finds one that meets the minimum requirements.
Restore state from another computer
Request access to a state migration point to restore previously captured user state and settings to a destination
computer.
If there are multiple state migration points, this step finds the state migration point that has the state for the
destination computer.
Number of retries
The number of times that this step tries to find an appropriate state migration point before failing.
Retry delay (in seconds )
The amount of time in seconds that the task sequence step waits between retry attempts.
If computer account fails to connect to a state store, use the network access account
If the task sequence can't access the state migration point using the computer account, it uses the network access
account credentials to connect. This option is less secure because other computers could use the network access
account to access the stored state. This option might be necessary if the destination computer isn't domain
joined.

Restart Computer
Use this step to restart the computer running the task sequence. After the restart, the computer automatically
continues with the next step in the task sequence.
This step can be run in either the full OS or Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Restar t Computer .
Variables for Restart Computer
Use the following task sequence variables with this step:
SMSRebootMessage
SMSRebootTimeout
Cmdlets for Restart Computer
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepReboot
New-CMTSStepReboot
Remove-CMTSStepReboot
Set-CMTSStepReboot
Properties for Restart Computer
On the Proper ties tab for this step, configure the settings described in this section.
The boot image assigned to this task sequence
Select this option for the destination computer to use the boot image assigned to the task sequence. The task
sequence uses the boot image to run subsequent steps in Windows PE.
The currently installed default operating system
Select this option for the destination computer to reboot into the installed OS.
Notify the user before restarting
Select this option to display a notification to the user before the destination computer restarts. The step selects
this option by default.
Notification message
Enter a notification message to display to the user before the destination computer restarts.
Message display time-out
Specify the amount of time in seconds before the destination computer restarts. The default is 60 seconds.

Restore User State

Use this step to initiate the User State Migration Tool (USMT) to restore user state and settings to the destination
computer. You use this step in conjunction with the Capture User State step.
For more information about managing the user state when deploying operating systems, see Manage user state.
Use this step with the Request State Store and Release State Store steps to save or restore the state settings
with a state migration point. This option always decrypts the USMT state store by using an encryption key that
Configuration Manager generates and manages.
The Restore User State step provides control over a limited subset of the most commonly used USMT options.
Specify additional command-line options with the OSDMigrateAdditionalRestoreOptions variable.

IMPORTANT
If you're using this step for a purpose unrelated to an OS deployment scenario, add the Restart Computer step
immediately following the Restore User State step.

This step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select User State , and select Restore User State .
Variables for Restore User State
Use the following task sequence variables with this step:
_OSDMigrateUsmtRestorePackageID
OSDMigrateAdditionalRestoreOptions
OSDMigrateContinueOnRestore
OSDMigrateEnableVerboseLogging
OSDMigrateLocalAccounts
OSDMigrateLocalAccountPassword
OSDStateStorePath
Cmdlets for Restore User State
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepRestoreUserState
New-CMTSStepRestoreUserState
Remove-CMTSStepRestoreUserState
Set-CMTSStepRestoreUserState
Properties for Restore User State
On the Proper ties tab for this step, configure the settings described in this section.
User state migration tool package
Specify the package that contains the version of USMT for this step to use. This package doesn't require a
program. When the step runs, the task sequence uses the version of USMT in the specified package. Specify a
package containing the 32-bit or 64-bit version of USMT. The architecture of USMT depends upon the
architecture of the OS to which the task sequence is restoring state.
Restore all captured user profiles with standard options
Restores the captured user profiles with the standard options. To customize the options that USMT restores,
select Customize user profile capture .
Customize how user profiles are restored
Allows you to customize the files that you want to restore to the destination computer. Select Files to specify the
configuration files in the USMT package you want to use for restoring the user profiles. To add a configuration
file, enter the name of the file in the Filename box, and then select Add . The Files pane lists the configuration
files that USMT uses. The .xml file you specify defines which user file USMT restores.
Restore local computer user profiles
Restores the local computer user profiles. These profiles aren't for domain users. Assign new passwords to the
restored local user accounts. USMT can't migrate the original passwords. Enter the new password in the
Password box, and confirm the password in the Confirm Password box.
Continue if some files cannot be restored
Continues restoring user state and settings even if USMT is unable to restore some files. The step enables this
option by default. If you disable this option, and USMT encounters errors while restoring files, this step fails
immediately. USMT doesn't restore all files.
Enable verbose logging
Enable this option to generate more detailed log file information. When restoring state, the task sequence by
default generates Loadstate.log in the task sequence log folder, %WinDir%\ccm\logs .

Run Command Line

Use this step to run the specified command line.
The command being run must meet the following criteria:
It shouldn't interact with the desktop. The command must run silently or in an unattended mode.
It must not initiate a restart on its own. The command must request a restart using the standard restart
code, 3010. This behavior makes sure that the task sequence properly handles the restart. If the command
does return a 3010 exit code, the task sequence engine restarts the computer. After the restart, the task
sequence automatically continues.
This step can be run in the full OS or Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Run Command Line .
Variables for Run Command Line
Use the following task sequence variables with this step:
OSDDoNotLogCommand (starting in version 1902)
SMSTSDisableWow64Redirection
SMSTSRunCommandLineUserName
SMSTSRunCommandLineUserPassword
SMSTSRunCommandLineAsUser (starting in version 2002)
WorkingDirectory
Cmdlets for Run Command Line
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepRunCommandLine
New-CMTSStepRunCommandLine
Remove-CMTSStepRunCommandLine
Set-CMTSStepRunCommandLine
Properties for Run Command Line
On the Proper ties tab for this step, configure the settings described in this section.
Command line
Specifies the command line that the task sequence runs. This field is required. Include file name extensions, for
example, .vbs and .exe. Include all required settings files and command-line options.
If you don't specify the file name extension, Configuration Manager tries .com, .exe, and .bat. If the file name has
an extension that's not an executable type, Configuration Manager tries to apply a local association. For example,
if the command line is readme.gif, Configuration Manager starts the application specified on the destination
computer for opening .gif files.
Examples:
setup.exe /a

cmd.exe /c copy Jan98.dat c:\sales\Jan98.dat

NOTE
To run successfully, precede command-line actions with the cmd.exe /c command. Example of these actions include
output redirection, piping, and copy commands.

Output to task sequence variable

Starting in version 1910, save the command output to a custom task sequence variable.

NOTE
Configuration Manager limits this output to the last 1000 characters.

Disable 64-bit file system redirection

By default, 64-bit operating systems use the WOW64 file system redirector to run command lines. This behavior
is to properly find 32-bit versions of OS executables and libraries. Select this option to disable the use of the
WOW64 file system redirector. Windows runs the command using native 64-bit versions of OS executables and
libraries. This option has no effect when running on a 32-bit OS.
Start in
Specifies the executable folder for the program, up to 127 characters. This folder can be an absolute path on the
destination computer or a path relative to the distribution point folder that contains the package. This field is
optional.
Examples:
c:\officexp

i386

NOTE
The Browse button browses the local computer for files and folders. Anything you select must also exist on the
destination computer. It must exist in the same location and with the same file and folder names.

Package
When you specify files or programs on the command line that aren't already present on the destination
computer, select this option to specify the Configuration Manager package that contains the necessary files. The
package doesn't require a program. If the specified files exist on the destination computer, this option isn't
required.
Time-out
Specifies a value that represents how long Configuration Manager allows the command line to run. This value
can be from one minute to 999 minutes. The default value is 15 minutes. This option is disabled by default.

IMPORTANT
If you enter a value that doesn't allow enough time for the specified command to complete successfully, this step fails. The
entire task sequence could fail depending on step or group conditions. If the time-out expires, Configuration Manager
terminates the command-line process.
Run this step as the following account
Specifies that the command line is run as a Windows user account other than the Local System account.

NOTE
To run simple scripts or commands with another account after installing the OS, first add the account to the computer.
Additionally, you may need to restore Windows user profiles to run more complex programs, such as a Windows Installer.

Account
Specifies the Windows user account this step uses to run the command line. The command line runs with the
permissions of the specified account. Select Set to specify the local user or domain account. For more
information on the task sequence run-as account, see Accounts.

IMPORTANT
If this step specifies a user account and runs in Windows PE, the action fails. You can't join Windows PE to a domain. The
smsts.log file records this failure.

Options for Run Command Line

Besides the default options, configure the following additional settings on the Options tab of this task sequence
step:
Success codes
Include other exit codes from the script that the step should evaluate as success.

Run PowerShell Script

Use this step to run the specified Windows PowerShell script.
The script must meet the following criteria:
It shouldn't interact with the desktop. The script must run silently or in an unattended mode.
It must not initiate a restart on its own. The sscript must request a restart using the standard restart code,
3010. This behavior makes sure that the task sequence properly handles the restart. If the script does
return a 3010 exit code, the task sequence engine restarts the computer. After the restart, the task
sequence automatically continues.
This step can be run in the full OS or Windows PE. To run this step in Windows PE, enable PowerShell in the boot
image. Enable the WinPE-PowerShell component from the Optional Components tab in the properties for the
boot image. For more information about how to modify a boot image, see Manage boot images.

NOTE
PowerShell isn't enabled by default on Windows Embedded operating systems.

WARNING
Certain anti-malware software may inadvertently trigger events against the Configuration Manager Run PowerShell Script
task sequence step. It is recommended to exclude %windir%\temp\smstspowershellscripts so that the anti-malware
software permits those scripts to run without interference.

To add this step in the task sequence editor, select Add , select General , and select Run PowerShell Script .
Variables for Run PowerShell Script
Use the following task sequence variables with this step:
OSDLogPowerShellParameters (starting in version 1902)
SMSTSRunPowerShellAsUser (starting in version 2002)
SMSTSRunPowerShellUserName
SMSTSRunPowerShellUserPassword
Cmdlets for Run PowerShell Script
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepRunPowerShellScript
New-CMTSStepRunPowerShellScript
Remove-CMTSStepRunPowerShellScript
Set-CMTSStepRunPowerShellScript

NOTE
Use signed PowerShell scripts in Unicode format. ANSI format, which is the default, doesn't work with this step.

Properties for Run PowerShell Script

On the Proper ties tab for this step, configure the settings described in this section.
Package
Specify the Configuration Manager package that contains the PowerShell script. One package can contain
multiple PowerShell scripts.
Script name
Specifies the name of the PowerShell script to run. This field is required.
Enter a PowerShell script
Starting in version 1902, directly enter Windows PowerShell code in this step. This feature lets you run
PowerShell commands during a task sequence without first creating and distributing a package with the script.
When you add or edit a script, the PowerShell script window provides the following actions:
Edit the script directly
Open an existing script from file
Browse to an existing approved script in Configuration Manager

IMPORTANT
To take advantage of this new Configuration Manager feature, after you update the site, also update clients to the latest
version. While new functionality appears in the Configuration Manager console when you update the site and console, the
complete scenario isn't functional until the client version is also the latest.

Parameters
Specifies the parameters passed to the PowerShell script. These parameters are the same as the PowerShell script
parameters on the command line.
Provide parameters consumed by the script, not for the Windows PowerShell command line.
The following example contains valid parameters:
-MyParameter1 MyValue1 -MyParameter2 MyValue2
The following example contains invalid parameters. The first two items are Windows PowerShell command-line
parameters (-NoLogo and -ExecutionPolicy Unrestricted ). The script doesn't consume these parameters.
-NoLogo -ExecutionPolicy Unrestricted -File MyScript.ps1 -MyParameter1 MyValue1 -MyParameter2 MyValue2

If a parameter value includes a special character, use single quotation marks ( ' ) around the value. Using double
quotation marks ( " ) may cause the task sequence step to incorrectly process the parameter.
For example: -Arg1 '%TSVar1%' -Arg2 '%TSVar2%'

Starting in version 2002, set this property to a variable. For example, if you specify %MyScriptVariable% , when the
task sequence runs the script, it adds the value of this custom variable to the PowerShell command line.
PowerShell execution policy
Determine which PowerShell scripts (if any) you allow to run on the computer. Choose one of the following
execution policies:
AllSigned : Only run scripts signed by a trusted publisher
Undefined : Don't define any execution policy
Bypass : Load all configuration files and run all scripts. If you download an unsigned script from the
internet, Windows PowerShell doesn't prompt for permission before running the script.

IMPORTANT
PowerShell 1.0 doesn't support Undefined and Bypass execution policies.

Output to task sequence variable

Starting in version 1902, save the script output to a custom task sequence variable.

NOTE
Starting in version 1910, Configuration Manager limits this output to the last 1000 characters.

For an example of how to use this step property, see How to set variables.
Start in
Starting in version 1902, specify the starting folder for the script, up to 127 characters. This folder can be an
absolute path on the destination computer or a path relative to the distribution point folder that contains the
package. This field is optional.

NOTE
The Browse button browses the local computer for files and folders. Anything you select must also exist on the
destination computer. It must exist in the same location and with the same file and folder names.

Time-out
Starting in version 1902, specify a value that represents how long Configuration Manager allows the PowerShell
script to run. This value can be from one minute to 999 minutes. The default value is 15 minutes. This option is
disabled by default.
 IMPORTANT
If you enter a value that doesn't allow enough time for the specified script to complete successfully, this step fails. The
entire task sequence could fail depending on step or group conditions. If the time-out expires, Configuration Manager
terminates the PowerShell process.

Run this step as the following account

Starting in version 1902, specify that the PowerShell script is run as a Windows user account other than the Local
System account.

NOTE
To run simple scripts or commands with another account after installing the OS, first add the account to the computer.
Additionally, you may need to restore Windows user profiles to run more complex actions.

Account
Starting in version 1902, specify the Windows user account this step uses to run the PowerShell script. The
specified account must be a local administrator on the system and the script runs with the permissions of this
account. Select Set to specify the local user or domain account. For more information on the task sequence run-
as account, see Accounts.

IMPORTANT
If this step specifies a user account and runs in Windows PE, the action fails. You can't join Windows PE to a domain. The
smsts.log file records this failure.

Options for Run PowerShell Script

Besides the default options, configure the following additional settings on the Options tab of this task sequence
step:
Success codes
Starting in version 1902, include other exit codes from the script that the step should evaluate as success.

Run Task Sequence

NOTE
In version 1910, Configuration Manager enables this feature by default. In version 1906 or earlier, Configuration Manager
doesn't enable this optional feature by default. Enable this feature before using it. For more information, see Enable
optional features from updates.

This step runs another task sequence. It creates a parent-child relationship between the task sequences. With
child task sequences, you can create more modular, reusable task sequences.
To add this step in the task sequence editor, select Add , select General , and select Run Task Sequence .
Specifications and limitations for Run Task Sequence
Consider the following points when you add a child task sequence to a task sequence:
The parent and child task sequences are effectively combined into a single policy that the client runs.
The environment is global. If the parent task sequence sets a variable, and then the child task sequence
changes that variable, it retains the latest value. If the child task sequence creates a new variable, it's
 available for the rest of the parent task sequence.
Status messages are sent per normal for a single task sequence operation.
The task sequence writes entries to the smsts.log file, with new log entries that make it clear when a child
task sequence starts.
You can't select a task sequence with a boot image reference. For any deployment that requires a boot
image, specify it on the parent task sequence.
If a child task sequence is disabled, the deployment fails. You can't use the Continue on error option to
work around this limitation.
If a child task sequence contains steps that are considered high impact, Software Center doesn't detect it
and show the high-impact notification. Modify the properties of the parent task sequence, on the User
Notification tab, to specify that This is a high-impact task sequence .
If a child task sequence has a missing package reference, viewing the parent task sequence doesn't detect
this state. If you edit the parent task sequence, it detects any missing references in child task sequences
when you make changes to the parent.
Cmdlets for Run Task Sequence
Starting in version 1906, manage this step with the following PowerShell cmdlets:
Get-CMTSStepRunTaskSequence
New-CMTSStepRunTaskSequence
Remove-CMTSStepRunTaskSequence
Set-CMTSStepRunTaskSequence
For more information, see 1906 release notes - New cmdlets.
Properties for Run Task Sequence
On the Proper ties tab for this step, configure the settings described in this section.
Select task sequence to run
Select Browse to select the child task sequence. The Select a Task Sequence dialog box doesn't display the
parent task sequence.

Set Dynamic Variables

Use this step to perform the following actions:
1. Gather information from the computer and its environment. Then set specified task sequence variables
with the information.
2. Evaluate defined rules. Set task sequence variables based on the rules that evaluate to true.
This step can be run in either the full OS or Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Set Dynamic Variables .
Variables for Set Dynamic Variables
The task sequence automatically sets the following read-only task sequence variables:
_SMSTSMake
_SMSTSModel
_SMSTSMacAddresses
_SMSTSIPAddresses
 _SMSTSSerialNumber
_SMSTSAssetTag
_SMSTSUUID
Cmdlets for Set Dynamic Variables
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepSetDynamicVariable
New-CMTSStepSetDynamicVariable
Remove-CMTSStepSetDynamicVariable
Set-CMTSStepSetDynamicVariable
Properties for Set Dynamic Variables
On the Proper ties tab for this step, configure the settings described in this section.
Dynamic rules and variables
To set a dynamic variable for use in the task sequence, add a rule. Then set a value for each variable specified in
the rule. Additionally, add one or more variables without adding a rule. When you add a rule, choose from the
following categories:
Computer : Evaluate values for hardware asset tag, UUID, serial number, or MAC address. Set multiple
values as necessary. If any value is true, then the rule evaluates as true. For example, the following rule
evaluates as true if the device serial number is 5892087 and the MAC address is 22-A4-5A-13-78-26:
IF Serial Number = 5892087 OR MAC address = 26-78-13-5A-A4-22 THEN

Location : Evaluate values for the default network gateway

Make and Model : Evaluate values for the make and model of a computer. Both the make and model
must evaluate to true for the rule to evaluate to true.
Specify an asterisk ( * ) and question mark ( ? ) as wild cards characters. The asterisk matches multiple
characters and the question mark matches a single character. For example, the string DELL*900? matches
both DELL-ABC-9001 and DELL9009 .
Task Sequence Variable : Add a task sequence variable, condition, and value to evaluate. The rule
evaluates to true when the value set for the variable meets the specified condition.
Specify one or more variables to set for a rule that evaluates to true, or set variables without using a rule.
Select an existing variable, or create a custom variable.
Existing task sequence variables : Select one or more variables from a list of existing task
sequence variables. Array variables aren't available to select.
Custom task sequence variables : Define a custom task sequence variable. You can also specify
an existing task sequence variable. This setting is useful to specify an existing variable array, such as
OSDAdapter , since variable arrays aren't in the list of existing task sequence variables.
After you select the variables for a rule, provide a value for each variable. The variable is set to the specified value
when the rule evaluates to true. For each variable, you can select Do not display this value to hide the value of
the variable. By default, some existing variables hide values, such as the OSDCaptureAccountPassword
variable.
 IMPORTANT
When you import a task sequence with the Set Dynamic Variables step, Configuration Manager removes any variable
values marked as Do not display this value . After you import the task sequence, re-enter the value for the dynamic
variable.

When you use the option Do not display this value , the value of the variable isn't displayed in the task
sequence editor. The task sequence log file (smsts.log ) or the task sequence debugger won't show the variable
value either. The variable can still be used by the task sequence when it runs. If you no longer want these
variables to be hidden, delete them first. Then redefine the variables without selecting the option to hide them.

WARNING
If you include variables in the Run Command Line step's command line, the task sequence log file displays the full
command line including the variable values. To prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .

Set Task Sequence Variable

Use this step to set the value of a variable that's used with the task sequence.
This step can be run in either the full OS or Windows PE.
To add this step in the task sequence editor, select Add , select General , and select Set Task Sequence
Variable .
Variables for Set Task Sequence Variable
Task sequence variables are read by task sequence actions and specify the behavior of those actions. For more
information about specific task sequence variables and how to use them, see the following articles:
How to use task sequence variables
Task sequence variables
Cmdlets for Set Task Sequence Variable
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepSetVariable
New-CMTSStepSetVariable
Remove-CMTSStepSetVariable
Set-CMTSStepSetVariable
Properties for Set Task Sequence Variable
On the Proper ties tab for this step, configure the settings described in this section.
Task sequence variable
Specify the name of a task sequence built-in or action variable, or specify your own user-defined variable name.
Do not display this value
Enable this option to mask sensitive data stored in task sequence variables. For example, when specifying a
password.
 NOTE
Enable this option and then set the value of the task sequence variable. Otherwise the variable value isn't set as you
intend, which may cause unexpected behaviors when the task sequence runs.

When you use the option Do not display this value , the value of the variable isn't displayed in the task
sequence editor. The task sequence log file (smsts.log ) or the task sequence debugger won't show the variable
value either. The variable can still be used by the task sequence when it runs. If you no longer want this variable
to be hidden, delete it first. Then redefine the variable without selecting the option to hide it.

WARNING
If you include variables in the Run Command Line step's command line, the task sequence log file displays the full
command line including the variable values. To prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .

Value
The task sequence sets the variable to this value. Set this task sequence variable to the value of another task
sequence variable with the syntax %varname% .

Setup Windows and ConfigMgr

Use this step to perform the transition from Windows PE to the new OS. This task sequence step is a required
part of any OS deployment. It installs the Configuration Manager client into the new OS, and prepares for the
task sequence to continue execution in the new OS.
This step is responsible for transitioning the task sequence from Windows PE to the full OS. The step runs both in
Windows PE and the full OS because of this transition. However, since the transition starts in Windows PE, it can
only be added during the Windows PE portion of the task sequence.
This step replaces sysprep.inf or unattend.xml directory variables, such as %WINDIR% and %ProgramFiles% , with
the Windows PE installation directory, X:\Windows . The task sequence ignores variables specified by using these
environment variables.
To add this step in the task sequence editor, select Add , select Images , and select Setup Windows and
ConfigMgr .
Behaviors for Setup Windows and ConfigMgr
This step performs the following actions:
Preliminaries: Windows PE
1. Substitute task sequence variables in the unattend.xml file.
2. Download the package that contains the Configuration Manager client. Add the package to the deployed
image.
Set up Windows
Image-based installation
1. Disable the Configuration Manager client in the image, if it exists. In other words, disable Autostart
for the Configuration Manager client service.
2. Update the registry in the deployed image to start the deployed OS with the same drive letter as
the reference computer.
3. Restart to the deployed OS.
 4. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml answer file
that has all end-user interaction suppressed. If you use the Apply Network Settings step to join a
domain, then that information is in the answer file. Windows mini-setup joins the computer to the
domain.
Setup.exe-based installation. Runs Setup.exe that follows the typical Windows setup process:
1. Copy the OS upgrade package, specified in the Apply Operating System step, to the hard disk
drive.
2. Restart to the newly deployed OS.
3. Windows mini-setup runs by using the previously specified sysprep.inf or unattend.xml answer file
that has all user interface settings suppressed. If you use the Apply Network Settings step to join
a domain, then that information is in the answer file. Windows mini-setup joins the computer to the
domain.
Set up the Configuration Manager client
1. After Windows mini-setup finishes, the task sequence resumes by using setupcomplete.cmd. For more
information, see Run a script after setup is complete (SetupComplete.cmd).
2. Enable or disable the local Administrator account, based on the option selected in the Apply Windows
Settings step.
3. Install the Configuration Manager client by using the previously downloaded package, and installation
properties specified in this step. The client installs in "provisioning mode". This mode prevents the client
from processing new policy requests until the task sequence completes. For more information, see
Provisioning mode.
4. Wait for the client to be fully operational.
The step completes
The task sequence continues running the next step.

NOTE
Windows group policy normally doesn't process until after the task sequence is complete. This behavior is consistent across
different versions of Windows. Other custom actions during the task sequence can trigger group policy evaluation. For
more information on the order of operations, see Run a script after setup is complete (SetupComplete.cmd).

Variables for Setup Windows and ConfigMgr

Use the following task sequence variables with this step:
SMSClientInstallProperties
Cmdlets for Setup Windows and ConfigMgr
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepSetupWindowsAndConfigMgr
New-CMTSStepSetupWindowsAndConfigMgr
Remove-CMTSStepSetupWindowsAndConfigMgr
Set-CMTSStepSetupWindowsAndConfigMgr
Properties for Setup Windows and ConfigMgr
On the Proper ties tab for this step, configure the settings described in this section.
Client package
Select Browse , then choose the Configuration Manager client installation package to use with this step.
Use pre-production client package when available
If there's a pre-production client package available, and the computer is a member of the piloting collection, the
task sequence uses this package instead of the production client package. The pre-production client is a newer
version for testing in the production environment. Select Browse , then choose the pre-production client
installation package to use with this step.
Installation Properties
The task sequence step automatically specifies site assignment and the default configuration. Use this field to
specify any additional installation properties to use when you install the client. To enter multiple installation
properties, separate them with a space.
Specify command-line options to use during client installation. For example, enter /skipprereq: silverlight.exe
to inform CCMSetup.exe to not install the Microsoft Silverlight prerequisite. For more information about
available command-line options for CCMSetup.exe, see About client installation properties.
When you run an OS deployment task sequence on an internet-based client, that's either Azure AD-joined or
uses token-based authentication, you need to specify the CCMHOSTNAME property in the Setup Windows and
ConfigMgr step. For example, CCMHOSTNAME=OTTERFALLS.CLOUDAPP.NET/CCM_Proxy_MutualAuth/12345678907927939 .
Options for Setup Windows and ConfigMgr

NOTE
Don't enable Continue on error on the Options tab. If there's an error during this step, the task sequence fails whether
or not you enable this setting.

Upgrade Operating System

Use this step to upgrade an older version of Windows to a newer version of Windows 10.
This task sequence step runs only in the full OS. It doesn't run in Windows PE.
To add this step in the task sequence editor, select Add , select Images , and select Upgrade Operating System .

TIP
Beginning with Windows 10, version 1709, media includes multiple editions. When you configure a task sequence to use
an OS upgrade package or OS image, be sure to select a supported edition.
Use content pre-caching to download an applicable OS upgrade package before a user installs the task sequence. For
more information, see Configure pre-cache content.

Variables for Upgrade OS

Use the following task sequence variables with this step:
_SMSTSOSUpgradeActionReturnCode
SetupCompletePause
OSDSetupAdditionalUpgradeOptions
Cmdlets for Upgrade OS
Manage this step with the following PowerShell cmdlets:
Get-CMTSStepUpgradeOperatingSystem
New-CMTSStepUpgradeOperatingSystem
 Remove-CMTSStepUpgradeOperatingSystem
Set-CMTSStepUpgradeOperatingSystem
Properties for Upgrade OS
On the Proper ties tab for this step, configure the settings described in this section.
Upgrade package
Select this option to specify the Windows 10 OS upgrade package to use for the upgrade.
Source path
Specifies a local or network path to the Windows 10 media that Windows Setup uses. This setting corresponds to
the Windows Setup command-line option /InstallFrom .
You can also specify a variable, such as %MyContentPath% or %DPC01% . When you use a variable for the source
path, set its value earlier in the task sequence. For example, use the Download Package Content step to specify a
variable for the location of the OS upgrade package. Then, use that variable for the source path for this step.
Edition
Specify the edition within the OS media to use for the upgrade.
Product key
Specify the product key to apply to the upgrade process.
Provide the following driver content to Windows Setup during upgrade
Add drivers to the destination computer during the upgrade process. The drivers must be compatible with
Windows 10. This setting corresponds to the Windows Setup command-line option /InstallDriver . For more
information, see Windows Setup command-line options.
Specify one of the following options:
Driver package : Select Browse and choose an existing driver package from the list.
Staged content : Select this option to specify the location for the driver content. You can specify a local
folder, network path, or a task sequence variable. When you use a variable for the source path, set its value
earlier in the task sequence. For example, by using the Download Package Content step.

TIP
If you want to have dynamic content for multiple types of hardware:
Use multiple instances of this step with conditions for the hardware types and separate driver content.
Use multiple instances of the Download Package Content step. Place the content in a common location, and then
use the Staged content option. The benefit of this method is the task sequence has a single Upgrade OS step.

Time-out (minutes )
Specify the number of minutes before Configuration Manager fails this step. This option is useful if Windows
Setup stops processing but doesn't terminate.
Perform Windows Setup compatibility scan without starting upgrade
Perform the Windows Setup compatibility scan without starting the upgrade process. This setting corresponds to
the Windows Setup command-line option /Compat ScanOnly . Deploy the entire OS upgrade package with this
option.
When you enable this option, this step doesn't put the Configuration Manager client into provisioning mode.
Windows Setup runs silently in the background, and the client continues to function as normal. For more
information, see Provisioning mode.
Setup returns an exit code as a result of the scan. The following table provides some of the more common exit
codes:

EXIT C O DE DETA IL S

MOSETUP_E_COMPAT_SCANONLY (0xC1900210) No compatibility issues ("success").

MOSETUP_E_COMPAT_INSTALLREQ_BLOCK (0xC1900208) Actionable compatibility issues.

MOSETUP_E_COMPAT_MIGCHOICE_BLOCK (0xC1900204) Selected migration choice isn't available. For example, an

upgrade from Enterprise to Professional.

MOSETUP_E_COMPAT_SYSREQ_BLOCK (0xC1900200) Not eligible for Windows 10.

MOSETUP_E_COMPAT_INSTALLDISKSPACE_BLOCK Not enough free disk space.

(0xC190020E)

For more information about this parameter, see Windows Setup Command-Line Options.
Ignore any dismissible compatibility messages
Specifies that Setup completes the installation, ignoring any dismissible compatibility messages. This setting
corresponds to the Windows Setup command-line option /Compat IgnoreWarning .
Dynamically update Windows Setup with Windows Update
Enable setup to perform Dynamic Update operations, such as search, download, and install updates. This setting
corresponds to the Windows Setup command-line option /DynamicUpdate . This setting isn't compatible with
Configuration Manager software updates. Enable this option when you manage updates with stand-alone
Windows Server Update Services (WSUS) or Windows Update for Business.
Override policy and use default Microsoft Update
Temporarily override the local policy in real time to run Dynamic Update operations. The computer gets updates
from Windows Update.
 Install Software Updates
9/4/2020 • 7 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Install Software Updates step is commonly used in Configuration Manager task sequences. When installing
or updating the OS, it triggers the software updates components to scan for and deploy updates. This step can
cause challenges for some customers, such as long timeout delays or missed updates. Use the information in this
article to help mitigate common issues with this step, and for better troubleshooting when things go wrong.
For more information on the step, see Install Software Updates

Recommendations
To help this process be successful, use the following recommendations:
Use offline servicing
Single index
Reduce image size
Use offline servicing
Use Configuration Manager to regularly install applicable software updates to your image files. This practice then
reduces the number of updates that you need to install during the task sequence.
For more information, see Apply software updates to an image.
Single index
Many image files include multiple indexes, such as for different editions of Windows. Reduce the image file to a
single index that you require. This practice reduces the amount of time to apply software updates to the image. It
also enables the next recommendation to reduce the image size.
Starting in version 1902, automate this process when you add an OS image to the site. For more information, see
Add an OS image.
Reduce image size
When you apply software updates to the image, optimize the output by removing any superseded updates. Use the
DISM command-line tool, for example:

dism /Mount-Image /ImageFile:C:\Data\install.wim /MountDir:C:\Mountdir

dism /Image:C:\Mountdir /Cleanup-Image /StartComponentCleanup /ResetBase
dism /Unmount-Image /MountDir:C:\Mountdir /Commit

Starting in version 1902, there's a new option to automate this process. For more information, see Optimized
image servicing.

Image engineering decisions

When you design your imaging process, there are several options that can impact the installation of software
updates:
Periodically recapture the image
Use offline servicing
 Use default image only
Periodically recapture the image
You have an automated process to capture a custom OS image on a regular schedule. This capture task sequence
installs the latest software updates. These updates can include cumulative, non-cumulative, and other critical
updates such as servicing stack updates (SSU). The deployment task sequence installs any additional updates since
capture.
For more information on this process, see Create a task sequence to capture an OS.
Advantages
Fewer updates to apply at deployment time per client, which saves time and bandwidth during deployment
Fewer updates to worry about causing restarts
Customized image for the organization
Fewer variables at deployment time
Disadvantages
Time to create and capture image, even though it's mostly automated
Increased time to distribute the image to distribution points, which can be seen as outage for active
deployments
Time to test through pre-production environments may be longer than OS patch cycle, which can make the
updated image irrelevant
Use offline servicing
Schedule Configuration Manager to apply software updates to your images.
For more information, see Apply software updates to an image.
Advantages
Fewer updates to apply at deployment time per client, which saves time and bandwidth during deployment
Fewer updates to worry about causing restarts
You can schedule the servicing process at the site
Disadvantages
Manual selection of updates
Increased time to distribute the image to distribution points
Only supports CBS-based updates. It can't apply Microsoft 365 Apps updates

TIP
You can automate the selection of software updates using PowerShell. Use the Get-CMSoftwareUpdate cmdlet to get a list of
updates. Then use the New-CMOperatingSystemImageUpdateSchedule cmdlet to create the offline servicing schedule. The
following example shows one method to automate this action:

# Get the OS image

$Win10Image = Get-CMOperatingSystemImage -Name "Windows 10 Enterprise"

# Get the latest cumulative update for Windows 10 1809

$OSBuild = "1809"
$LatestUpdate = Get-CMSoftwareUpdate -Fast | Where {$_.LocalizedDisplayName -Like "*Cumulative Update for
Windows 10 Version $OSBuild for x64*" -and $_.LocalizedDisplayName -notlike "*Dynamic*"} | Sort-Object
ArticleID -Descending | Select -First 1
Write-Host "Latest update for Windows 10 build" $OSBuild "is" $LatestUpdate.LocalizedDisplayName

# Create a new update schedule to apply the latest update

New-CMOperatingSystemImageUpdateSchedule -Name $Win10Image.Name -SoftwareUpdate $LatestUpdate -RunNow -
ContinueOnError $True
Use default image only
Use the default Windows install.wim image file in your deployment task sequences.
Advantages
A known good source, which reduces the risk of image corruption as a possible issue
Eliminates modifications to image as a possible issue
Disadvantages
Potential for high volume of updates during the deployment
Increased deployment time for every device
May not have needed customizations, requires additional task sequence steps to customize

Flowchart
This flowchart diagram shows the process when you include the Install Software Updates step in a task sequence.
View the diagram at full size

1. Process star ts on the client : A task sequence running on a client includes the Install Software updates step.
2. Compile and evaluate policies : The client compiles all software update policies into WMI RequestedConfigs
namespace. (CIAgent.log)
3. Is this instance the first time it's called?
a. Yes : Go to Full scan
b. No : Is the step configured with the option to Evaluate software updates from cached scan results?
a. Yes : Go to Scan from cached results
b. No : Go to Full scan
4. Scan process: either a full scan or scan from cached results, with monitoring process in parallel.
a. Full scan : The task sequence engine calls the software update agent via Update Scan API to do a full
scan. (WUAHandler.log, ScanAgent.log)
a. SUM agent scan - full : Normal scan process via Windows Update Agent (WUA), which
communicates with software update point running WSUS. It adds any applicable updates to the
local update store. (WindowsUpdate.log, UpdateStore.log)
b. Scan from cached results : The task sequence engine calls the software update agent via Update Scan
API to scan against cached metadata. (WUAHandler.log, ScanAgent.log)
a. SUM agent scan - cached : The Windows Update Agent (WUA) checks against updates already
cached in the local update store. (WindowsUpdate.log, UpdateStore.log)
c. Star t scan timer : The task sequence engine starts a timer and waits. (This process happens in parallel
with either the full scan or scan from cached results process.)
a. Monitoring : The task sequence engine monitors the SUM agent for status.
b. What's the response from the SUM agent?
In progress : Has the timer reached the value in task sequence variable
SMSTSSoftwareUpdateScanTimeout? (Default 1 hour)
Yes : The step fails.
No : Go to Monitoring
Failed : The step fails.
Complete : Go to Enumerate update list
5. Enumerate update list : The SUM agent enumerates the list of updates returned by the scan, determining
which are available or mandatory.
6. Are there any updates in the list of scan results?
 Yes : Go to Install updates
No : Nothing to install, the step successfully completes.
7. Deployment process: The install updates process happens in parallel with the deployment monitoring process.
a. Install updates : The task sequence engine calls the SUM agent via Update Deployment API to install all
available or only mandatory updates. This behavior is based on the configuration of the step, whether
you select Required for installation - Mandator y software updates only or Available for
installation - All software updates . You can also specify this behavior using the
SMSInstallUpdateTarget variable.
a. SUM agent install : Normal install process using existing cached list of updates, with standard
content download. Install update via Windows Update Agent (WUA). (UpdatesDeployment.log,
UpdatesHandler.log, WuaHandler.log, WindowsUpdate.log)
b. Star t deployment timer and show progress : The task sequence engine starts an installation timer,
shows sub-progress at 10% intervals in TS Progress UI, and waits.
a. Monitoring : The task sequence engine polls the SUM agent for status.
b. What's the response from the SUM agent?
In progress : Has the installation process been inactive for 8 hours?
Yes : The step fails.
No : Go to Monitoring
Failed : The step fails.
Complete : Go to Is the step configured with the option to Evaluate software updates
from cached scan results ?
Timeouts
The diagram includes two of the timeout variables that apply to this step. There are other standard timers from
other components that can impact this process.
Update scan timeout: 1 hour (smsts.log)
Location request timeout: 1 hour (LocationServices.log, CAS.log)
Content download timeout: 1 hour (DTS.log)
Inactive distribution point timeout: 1 hour (LocationServices.log, CAS.log)
Total install inactive timeout: 8 hours (smsts.log)

Troubleshooting
Use the following resources and additional information to help you troubleshoot issues with this step:
Make sure to target your software update deployments to the same collection as the task sequence
deployment.
Make sure to include software update points in boundary groups. For more information, see this Microsoft
Support article.
To help you troubleshoot the software update management process, see Software Update Management
Troubleshooting.
To help improve overall performance, reduce the size of the software update catalog. For example:
Remove unnecessary classifications, products, and languages. For more information, see Configure
classifications and products to synchronize.
Reindex the site database and rebuild statistics. For more information, see the Configuration Manager
Perf and Scale Guidance Whitepaper.
Decline unnecessary updates, for example:
Superseded (Starting in version 1810, Configuration Manager does this action for you. For more
information, see WSUS cleanup behavior starting in version 1810.)
Itanium
Beta
Version Next
ARM
Versions of Windows you aren't deploying
 Preprovision BitLocker in Windows PE with
Configuration Manager
9/4/2020 • 3 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The Pre-provision BitLocker task sequence step in Configuration Manager allows you to enable BitLocker from
the Windows Preinstallation Environment (Windows PE) prior to operating system deployment. Only the used drive
space is encrypted, and therefore, encryption times are much faster. This is done with a randomly generated clear
protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process.
The ability to pre-provision BitLocker was introduced with Windows 8 and Windows Server 2012. However, you
can pre-provision BitLocker on a hard drive and install Windows 7 as long as you follow specific steps. After
Windows 7 Setup completes, you must set a BitLocker key protector because the Windows 7 BitLocker control
panel does not support BitLocker with a clear protector. You must add a key protector by using the Enable
BitLocker step or by using the manage-bde.exe command-line tool.
Generally, you must do the following to successfully pre-provision BitLocker on a computer that will install
Windows 7:
Restart the computer in Windows PE

IMPORTANT
You must use a boot image with Windows PE 4 or later to pre-provision BitLocker. For more information about
supported Windows PE versions in Configuration Manager, see Dependencies External to Configuration Manager.

Partition and format the hard drive

Pre-provision BitLocker
Install Windows 7 with specific operating system and network settings
Add a key protector to BitLocker
In Configuration Manager, the recommended way to pre-provision BitLocker on a hard drive and install
Windows 7 is to create a new task sequence and select Install an existing image package from the
Create New Task Sequence page of the Create Task Sequence Wizard . The wizard creates the task
sequence steps listed in following table.

NOTE
The task sequence might have additional steps depending on how you configured the settings in the wizard. For example,
you might have the Capture Windows Settings step if you selected Captured Microsoft Windows settings on the
State Migration page of the wizard.

TA SK SEQ UEN C E ST EP DETA IL S

Disable BitLocker This step disables BitLocker encryption, if it is currently

enabled. For more information, see Disable BitLocker.
TA SK SEQ UEN C E ST EP DETA IL S

Restart Computer in Windows PE This step restarts the computer in Windows PE by running the
boot image assigned to the task sequence. You must use a
boot image with Windows PE 4 or later to pre-provision
BitLocker. For more information, see Restart Computer.

Partition Disk 0 - BIOS These steps format and partition the specified drive on the
destination computer by using BIOS or UEFI. The task
Partition Disk 0 - UEFI sequence uses UEFI when it detects that the destination
computer is in UEFI mode. For more information, see Format
and Partition Disk.

Pre-provision BitLocker This step enables BitLocker on a drive while in Windows PE.
Only the used drive space is encrypted. Because you
partitioned and formatted the hard drive in the previous step,
there is no data, and encryption completes very quickly. For
more information, see Pre-provision BitLocker.

Apply Operating System This step prepares the answer file that is used to install the
operating system on the destination computer and sets the
OSDTargetSystemDrive task sequence variable to the drive
letter of the partition that contains the operating system files.
The answer file and variable are used by the Setup Windows
and ConfigMgr step to install the operating system. For more
information, see Apply Operating System Image.

Apply Windows Settings This step adds Windows settings to the answer file. The
answer file is used by the Setup Windows and ConfigMgr step
to install the operating system. For more information, see
Apply Windows Settings.

Apply Network Settings This step adds Network settings to the answer file. The answer
file is used by the Setup Windows and ConfigMgr step to
install the operating system. For more information, see Apply
Network Settings Step.

Apply Device Drivers This step matches and installs drivers as part of the operating
system deployment. For more information, see Auto Apply
Drivers.

Setup Windows and ConfigMgr This step performs the transition from Windows PE to the new
operating system. This task sequence step is a required part of
any operating system deployment. It installs the Configuration
Manager client into the new operating system and prepares
for the task sequence to continue execution in the new
operating system. For more information, see Setup Windows
and ConfigMgr.

Enable BitLocker This step enables BitLocker encryption on the hard drive and
sets key protectors. Because the hard drive was pre-
provisioned with BitLocker, this step completes very quickly.
Windows 7 requires that you add a key protector. If you do
not use this step, you can run the manage-bde.exe command-
line tool to set a key protector. For more information, see
Enable BitLocker.
 How to use task sequence variables in Configuration
Manager
9/4/2020 • 14 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

The task sequence engine in the OS deployment feature of Configuration Manager uses many variables to control
its behaviors. Use these variables to:
Set conditions on steps
Change behaviors for specific steps
Use in scripts for more complex actions
For a reference of all available task sequence variables, see Task sequence variables.

Types of variables
There are several types of variables:
Built-in
Action
Custom
Read-only
Array
Built-in variables
Built-in variables provide information about the environment where the task sequence runs. Their values are
available throughout the whole task sequence. Typically, the task sequence engine initializes built-in variables
before it runs any steps.
For example, _SMSTSLogPath is an environment variable that specifies the path to which Configuration Manager
components write log files. Any task sequence step can access this environment variable.
The task sequence evaluates some variables before each step. For example, _SMSTSCurrentActionName lists the
name of the current step.
Action variables
Task sequence action variables specify configuration settings that a single task sequence step uses. By default, the
step initializes its settings before it runs. These settings are available only while the associated task sequence step
runs. The task sequence adds the action variable value to the environment before it runs the step. It then removes
the value from the environment after the step runs.
For example, you add the Run Command Line step to a task sequence. This step includes a Star t In property.
The task sequence stores a default value for this property as the WorkingDirectory variable. The task sequence
initializes this value before it runs the Run Command Line step. While this step is running, access the Star t In
property value from the WorkingDirectory value. After the step completes, the task sequence removes the value
of the WorkingDirectory variable from the environment. If the task sequence includes another Run Command
Line step, it initializes a new WorkingDirectory variable. At that time, the task sequence sets the variable to the
starting value for the current step. For more information, see WorkingDirectory.
The default value for an action variable is present when the step runs. If you set a new value, it's available to
multiple steps in the task sequence. If you override a default value, the new value stays in the environment. This
new value overrides the default value for other steps in the task sequence. For example, you add a Set Task
Sequence Variable step as the first step of the task sequence. This step sets the WorkingDirectory variable to
C:\ . Any Run Command Line step in the task sequence uses the new starting directory value.

Some task sequence steps mark certain action variables as output. Steps later in the task sequence read these
output variables.

NOTE
Not all task sequence steps have action variables. For example, although there are variables associated with the Enable
BitLocker action, there are no variables associated with the Disable BitLocker action.

Custom variables
These variables are any that Configuration Manager doesn't create. Initialize your own variables to use as
conditions, in command lines, or in scripts.
When you specify a name for a new task sequence variable, follow these guidelines:
The task sequence variable name can include letters, numbers, the underscore character ( _ ), and a hyphen
( - ).
Task sequence variable names have a minimum length of one character and a maximum length of 256
characters.
User-defined variables must begin with a letter ( A-Z or a-z ).
User-defined variable names can't begin with the underscore character. Only read-only task sequence
variables are preceded by the underscore character.
Task sequence variable names aren't case-sensitive. For example, OSDVAR and osdvar are the same task
sequence variable.
Task sequence variable names can't begin or end with a space. They also can't have embedded spaces. The
task sequence ignores any spaces at the beginning or the end of a variable name.
There's no set limit to how many task sequence variables you can create. However, the number of variables is
limited by the size of the task sequence environment. The total size limit for the task sequence environment is 8
KB. For more information, see Reduce the size of task sequence policy.
Read-only variables
You can't change the value of some variables, which are read-only. Usually the name begins with an underscore
character ( _ ). The task sequence uses them for its operations. Read-only variables are visible in the task sequence
environment.
These variables are useful in scripts or command-lines. For example, running a command line and piping the
output to a log file in _SMSTSLogPath with the other log files.

NOTE
Read-only task sequence variables can be read by steps in a task sequence but they can't be set. For example, use a read-
only variable as part of the command line for a Run Command Line step. You can't set a read-only variable by using the
Set Task Sequence Variable step.

Array variables
The task sequence stores some variables as an array. Each element in the array represents the settings for a single
object. Use these variables when a device has more than one object to configure. The following task sequence
steps use array variables:
Apply Network Settings
Format and Partition Disk

How to set variables

For custom variables or variables that aren't read-only, there are several methods to initialize and set the value of
the variable:
Set Task Sequence Variable step
Set Dynamic Variables step
Run PowerShell Script step
Collection and device variables
TSEnvironment COM object
Prestart command
Task Sequence Wizard
Task Sequence Media Wizard
Delete a variable from the environment by using the same methods as creating a variable. To delete a variable, set
the variable value to an empty string.
You can combine methods to set a task sequence variable to different values for the same sequence. For example,
set the default values using the task sequence editor, and then set custom values using a script.
If you set the same variable by different methods, the task sequence engine uses the following order:
1. It evaluates collection variables first.
2. Device-specific variables override the same variable set on a collection.
3. Variables set by any method during the task sequence take precedence over collection or device variables.
General limitations for task sequence variable values
Task sequence variable values can't be more than 4,000 characters.
You can't change a read-only task sequence variable. Read-only variables have names that start with an
underscore character ( _ ).
Task sequence variable values can be case-sensitive depending on the usage of the value. In most cases,
task sequence variable values aren't case-sensitive. A variable that includes a password is case-sensitive.
Set Task Sequence Variable
Use this step in the task sequence to set a single variable to a single value.
For more information, see Set Task Sequence Variable.
Set Dynamic Variables
Use this step in the task sequence to set one or more task sequence variables. You define rules in this step to
determine which variables and values to use.
For more information, see Set Dynamic Variables.
Run PowerShell Script
Use this step in the task sequence to use a PowerShell script to set a task sequence variable.
You can specify a script name from a package, or directly enter a PowerShell script in the step. Then use the step
property to Output to task sequence variable to save the script output to a custom task sequence variable.
For more information on this step, see Run PowerShell Script.

NOTE
You can also use a PowerShell script to set one or more variables with the TSEnvironment object. For more information,
see How to use variables in a running task sequence in the Configuration Manager SDK.

Example scenario with Run PowerShell Script step

Your environment has users in multiple countries/regions, so you want to query the OS language to set as a
condition on multiple language-specific Apply OS steps.
1. Add an instance of the Run PowerShell Script to the task sequence before the Apply OS steps.
2. Use the option to Enter a PowerShell script to specify the following command:

(Get-Culture).TwoLetterISOLanguageName

For more information on the cmdlet, see Get-Culture. For more information on the two-letter ISO language
names, see List of ISO 639-1 codes.
3. For the option to Output to task sequence variable , specify CurrentOSLanguage .

4. On the Apply OS step for the English language image, create the following condition:
Task Sequence Variable CurrentOSLanguage equals "en"
 TIP
For more information on how to create a condition on a step, see How to access variables - Step condition.

5. Save and deploy the task sequence.

When the Run PowerShell Script step runs on a device with the English language version of Windows, the
command returns the value en . It then saves that value into the custom variable. When the Apply OS step for
the English language image runs on the same device, the condition evaluates to true. If you have multiple
instances of the Apply OS step for different languages, the task sequence dynamically runs the step that matches
the OS language.
Collection and device variables
You can define custom task sequence variables for devices and collections. Variables that you define for a device
are referred to as per-device task sequence variables. Variables defined for a collection are referred to as per-
collection task sequence variables. If there's a conflict, per-device variables take precedence over per-collection
variables. This behavior means that task sequence variables that are assigned to a specific device automatically
have a higher priority than variables that are assigned to the collection that contains the device.
For example, device XYZ is a member of collection ABC. You assign MyVariable to collection ABC with a value of 1.
You also assign MyVariable to device XYZ with a value of 2. The variable that's assigned to XYZ has higher priority
than the variable that's assigned to collection ABC. When a task sequence with this variable runs on XYZ,
MyVariable has a value of 2.
You can hide per-device and per-collection variables so that they aren't visible in the Configuration Manager
console. When you use the option Do not display this value in the Configuration Manager console , the
value of the variable isn't displayed in the console. The task sequence log file (smsts.log ) or the task sequence
debugger won't show the variable value either. The variable can still be used by the task sequence when it runs. If
you no longer want these variables to be hidden, delete them first. Then redefine the variables without selecting
the option to hide them.

WARNING
If you include variables in the Run Command Line step's command line, the task sequence log file displays the full
command line including the variable values. To prevent potentially sensitive data from appearing in the log file, set the task
sequence variable OSDDoNotLogCommand to TRUE .
You can manage per-device variables at a primary site or at a central administration site. Configuration Manager
doesn't support more than 1,000 assigned variables for a device.

IMPORTANT
When you use per-collection variables for task sequences, consider the following behaviors:
Changes to collections are always replicated throughout the hierarchy. Any changes that you make to collection
variables apply not just to members of the current site, but to all members of the collection throughout the
hierarchy.
When you delete a collection, this action also deletes the task sequence variables that you configured for the
collection.

Create task sequence variables for a device

1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Devices node.
2. Select the target device and select Proper ties .
3. In the Proper ties dialog box, switch to the Variables tab.
4. For each variable that you want to create, select the New icon. Specify the Name and Value of the task
sequence variable. If you want to hide the variable so that it's not visible in the Configuration Manager
console, select the option Do not display this value in the Configuration Manager console .
5. After you've added all the variables to the device properties, select OK .
Create task sequence variables for a collection
1. In the Configuration Manager console, go to the Assets and Compliance workspace, and select the
Device Collections node. Select the target collection and choose Proper ties .
2. In the Proper ties dialog box, switch to the Collection Variables tab.
3. For each variable that you want to create, select the New icon. Specify the Name and Value of the task
sequence variable. If you want to hide the variable so that it's not visible in the Configuration Manager
console, select the option Do not display this value in the Configuration Manager console .
4. Optionally, specify the priority for Configuration Manager to use when the task sequence variables are
evaluated.
5. After you've added all the variables to the collection properties, select OK .
TSEnvironment COM object
To work with variables from a script, use the TSEnvironment object.
For more information, see How to use variables in a running task sequence in the Configuration Manager SDK.
Prestart command
The prestart command is a script or executable that runs in Windows PE before the user selects the task sequence.
The prestart command can query a variable or prompt the user for information, and then save it in the
environment. Use the TSEnvironment COM object to read and write variables from the prestart command.
For more information, see Prestart commands for task sequence media.
Task Sequence Wizard
Starting in version 1906, after you select a task sequence in the Task Sequence Wizard window, the page to edit
task sequence variables includes an Edit button. You can use accessible keyboard shortcuts to edit the variables.
This change helps in cases where a mouse isn't available.
Task Sequence Media Wizard
Specify variables for task sequences that run from media. When using media to deploy the OS, you add the task
sequence variables and specify their values when you create the media. The variables and their values are stored
on the media.

NOTE
Task sequences are stored on stand-alone media. However, all other types of media, such as prestaged media, retrieve the
task sequence from a management point.

When you run a task sequence from media, you can add a variable on the Customization page of the wizard.
Use the media variables in place of per-collection or per-computer variables. If the task sequence is running from
media, per-computer and per-collection variables don't apply and aren't used.

TIP
The task sequence writes the package ID and prestart command line to the CreateTSMedia.log file on the computer that
runs the Configuration Manager console. This log file includes the value for any task sequence variables. Review this log file
to verify the value for the task sequence variables.

For more information, see Create task sequence media.

How to access variables

After you specify the variable and its value by using one of the methods from the previous section, use it in your
task sequences. For example, access default values for built-in task sequence variables, or make a step conditional
on the value of a variable.
Use the following methods to access variable values in the task sequence environment:
Use in a step
Step condition
Custom script
Windows setup answer file
Use in a step
Specify a variable value for a setting in a task sequence step. In the task sequence editor, edit the step, and specify
the variable name as the field value. Enclose the variable name in percent signs ( % ).
For example, use the variable name as part of the Command Line field of the Run Command Line step. The
following command line writes the computer name to a text file.
cmd.exe /c %_SMSTSMachineName% > C:\File.txt

Step condition
Use built-in or custom task sequence variables as part of a condition on a step or group. The task sequence
evaluates the variable value before it runs the step or group.
To add a condition that evaluates a variable value, do the following steps:
1. In the task sequence editor, select the step or group to which you want to add the condition.
2. Switch to the Options tab for the step or group. Click Add Condition , and select Task Sequence
Variable .
3. In the Task Sequence Variable dialog box, specify the following settings:
Variable : The name of the variable. For example, _SMSTSInWinPE .
Condition : The condition to evaluate the variable value. For example, equals .
Value : The value of the variable to check. For example, false .

The three examples above form a common condition to test whether the task sequence is running from a boot
image in Windows PE:

Task Sequence Variable _SMSTSInWinPE equals "false"

See this condition on the Capture Files and Settings group of the default task sequence template to install an
existing OS image.
For more information about conditions, see Task sequence editor - Conditions.
Custom script
Read and write variables by using the Microsoft.SMS.TSEnvironment COM object while the task sequence is
running.
The following Windows PowerShell example queries the _SMSTSLogPath variable to get the current log location.
The script also sets a custom variable.

# Create an object to access the task sequence environment

$tsenv = New-Object -ComObject Microsoft.SMS.TSEnvironment

# Query the environment to get an existing variable

# Set a variable for the task sequence log path
$LogPath = $tsenv.Value("_SMSTSLogPath")

# Or, convert all of the variables currently in the environment to PowerShell variables
$tsenv.GetVariables() | % { Set-Variable -Name "$_" -Value "$($tsenv.Value($_))" }

# Write a message to a log file

Write-Output "Hello world!" | Out-File -FilePath "$_SMSTSLogPath\mylog.log" -Encoding "Default" -Append

# Set a custom variable "startTime" to the current time

$tsenv.Value("startTime") = (Get-Date -Format HH:mm:ss) + ".000+000"

Windows setup answer file

The Windows setup answer file that you supply can have embedded task sequence variables. Use the form
%varname% , where varname is the name of the variable. The Setup Windows and ConfigMgr step replaces the
variable name string for the actual variable value. These embedded task sequence variables can't be used in
numeric-only fields in an unattend.xml answer file.
For more information, see Setup Windows and ConfigMgr.

See also
Task sequence steps
Task sequence variables
Planning considerations for automating tasks
Task sequence editor
 Task sequence variables
9/4/2020 • 45 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

This article is a reference for all of the available variables in alphabetical order. Use the browser Find function (typically CTRL + F ) to find a specific variable. The variable notes
if it's specific to particular step. The article on task sequence steps includes the list of variables specific to each step.
For more information, see Using task sequence variables.

Task sequence variable reference

_OSDDetectedWinDir
The task sequence scans the computer's hard drives for a previous operating system installation when Windows PE starts. The Windows folder location is stored in this
variable. You can configure your task sequence to retrieve this value from the environment and use it to specify the same Windows folder location to use for the new
operating system installation.
_OSDDetectedWinDrive
The task sequence scans the computer's hard drives for a previous operating system installation when Windows PE starts. The hard drive location for where the operating
system is installed is stored in this variable. You can configure your task sequence to retrieve this value from the environment and use it to specify the same hard drive
location to use for the new operating system.
_OSDMigrateUsmtPackageID
Applies to the Capture User State step.
(input)
Specifies the package ID of the Configuration Manager package that contains the USMT files. This variable is required.
_OSDMigrateUsmtRestorePackageID
Applies to the Restore User State step.
(input)
Specifies the package ID of the Configuration Manager package that contains the USMT files. This variable is required.
_SMSTSAdvertID
Stores the current running task sequence deployment unique ID. It uses the same format as a Configuration Manager software distribution deployment ID. If the task sequence
is running from stand-alone media, this variable is undefined.
Example
ABC20001

_SMSTSAssetTag
Applies to the Set Dynamic Variables step.
Specifies the asset tag for the computer.
_SMSTSBootImageID
If the current running task sequence references a boot image package, this variable stores the boot image package ID. If the task sequence doesn't reference a boot image
package, this variable isn't set.
Example
ABC00001

_SMSTSBootUEFI
The task sequence sets this variable when it detects a computer that's in UEFI mode.
_SMSTSClientCache
The task sequence sets this variable when it caches content on the local drive. The variable contains the path to the cache. If this variable doesn't exist, then there's no cache.
_SMSTSClientGUID
Stores the value of Configuration Manager client GUID. If the task sequence is running from standalone media, this variable isn't set.
Example
0a1a9a4b-fc56-44f6-b7cd-c3f8ee37c04c

_SMSTSCurrentActionName
Specifies the name of the currently running task sequence step. This variable is set before the task sequence manager runs each individual step.
Example
run command line

_SMSTSDefaultGateways
Applies to the Set Dynamic Variables step.
Specifies the default gateways used by the computer.
_SMSTSDownloadOnDemand
If the current task sequence is running in download-on-demand mode, this variable is true . Download-on-demand mode means the task sequence manager downloads
content locally only when it must access the content.
_SMSTSInWinPE
When the current task sequence step is running in Windows PE, this variable is true . Test this task sequence variable to determine the current OS environment.
_SMSTSIPAddresses
Applies to the Set Dynamic Variables step.
Specifies the IP addresses used by the computer.
_SMSTSLastActionName
Stores the name of the last action that was run. This variable relates to _SMSTSLastActionRetCode . The task sequence logs these values to the smsts.log file. This variable is
beneficial when troubleshooting a task sequence. When a step fails, a custom script can include the step name along with the return code.
_SMSTSLastActionRetCode
Stores the return code from the last action that was run. This variable can be used as a condition to determine if the next step is run.
Example
0

_SMSTSLastActionSucceeded
If the last step succeeded, this variable is true .
If the last step failed, it's false .
If the task sequence skipped the last action, because the step is disabled or the associated condition evaluated to false , this variable isn't reset. It still holds the value for
the previous action.
_SMSTSLastContentDownloadLocation
Starting in version 1906, this variable contains the last location where the task sequence downloaded or attempted to download content. Inspect this variable instead of
parsing the client logs for this content location.
_SMSTSLaunchMode
Specifies that the task sequence started via one of the following methods:
SMS : The Configuration Manager client, such as when a user starts it from Software Center
UFD : Legacy USB media
UFD+FORMAT : Newer USB media
CD : A bootable CD
DVD : A bootable DVD
PXE : Network boot with PXE
HD : Prestaged media on a hard disk
_SMSTSLogPath
Stores the full path of the log directory. Use this value to determine where the task sequence steps log their actions. This value isn't set when a hard drive isn't available.
_SMSTSMacAddresses
Applies to the Set Dynamic Variables step.
Specifies the MAC addresses used by the computer.
_SMSTSMachineName
Stores and specifies the computer name. Stores the name of the computer that the task sequence uses to log all status messages. To change the computer name in the new OS,
use the OSDComputerName variable.
_SMSTSMake
Applies to the Set Dynamic Variables step.
Specifies the make of the computer.
_SMSTSMDataPath
Specifies the path defined by the SMSTSLocalDataDrive variable. This path specifies where the task sequence stores temporary cache files on the destination computer while
it's running. When you define SMSTSLocalDataDrive before the task sequence starts, such as by setting a collection variable, Configuration Manager then defines the
_SMSTSMDataPath variable once the task sequence starts.
_SMSTSMediaType
Specifies the type of media that's used to initiate the installation. Examples of types of media are Boot Media, Full Media, PXE, and Prestaged Media.
_SMSTSModel
Applies to the Set Dynamic Variables step.
Specifies the model of the computer.
_SMSTSMP
Stores the URL or IP address of a Configuration Manager management point.
_SMSTSMPPort
Stores the port number of a Configuration Manager management point.
_SMSTSOrgName
Stores the branding title name that the task sequence displays in the progress dialog.
_SMSTSOSUpgradeActionReturnCode
Applies to the Upgrade operating system step.
Stores the exit code value that Windows Setup returns to indicate success or failure. This variable is useful with the /Compat command-line option.
Example
On the completion of a compat-only scan, take action in later steps depending on the failure or success exit code. On success, initiate the upgrade. Or set a marker in the
environment to collect with hardware inventory. For example, add a file or set a registry key. Use this marker to create a collection of computers that are ready to upgrade, or
that require action before upgrade.
_SMSTSPackageID
Stores the current running task sequence ID. This ID uses the same format as a Configuration Manager package ID.
Example
HJT00001

_SMSTSPackageName
Stores the current running task sequence name. A Configuration Manager administrator specifies this name when creating the task sequence.
Example
Deploy Windows 10 task sequence

_SMSTSRunFromDP
Set to true if the current task sequence is running in run-from-distribution-point mode. This mode means the task sequence manager obtains required package shares from
distribution point.
_SMSTSSerialNumber
Applies to the Set Dynamic Variables step.
Specifies the serial number of the computer.
_SMSTSSetupRollback
Specifies whether Windows Setup performed a rollback operation during an in-place upgrade. The variable values can be true or false .
_SMSTSSiteCode
Stores the site code of the Configuration Manager site.
Example
ABC

_SMSTSTimezone
This variable stores the time zone information in the following format:
Bias,StandardBias,DaylightBias,StandardDate.wYear,wMonth,wDayOfWeek,wDay,wHour,wMinute,wSecond,wMilliseconds,DaylightDate.wYear,wMonth,wDayOfWeek,wDay,wHour,wMinute,wSecond,wMilliseconds,StandardName

Example
For the time zone Eastern Time (US and Canada) :
300,0,-60,0,11,0,1,2,0,0,0,0,3,0,2,2,0,0,0,Eastern Standard Time,Eastern Daylight Time

_SMSTSType
Specifies the type of the current running task sequence. It can have one of the following values:
1 : A generic task sequence
2 : An OS deployment task sequence
_SMSTSUseCRL
When the task sequence uses HTTPS to communicate with the management point, this variable specifies whether it uses the certificate revocation list (CRL).
_SMSTSUserStarted
Specifies whether a user started the task sequence. This variable is set only if the task sequence is started from Software Center. For example, if _SMSTSLaunchMode is set to
SMS .

This variable can have the following values:

true : Specifies that the task sequence is manually started by a user from Software Center.
false : Specifies that the task sequence is initiated automatically by the Configuration Manager scheduler.
_SMSTSUseSSL
Specifies whether the task sequence uses SSL to communicate with the Configuration Manager management point. If you configure your site systems for HTTPS, the value is
set to true .
_SMSTSUUID
Applies to the Set Dynamic Variables step.
Specifies the UUID of the computer.
_SMSTSWTG
Specifies if the computer is running as a Windows To Go device.
_TS_CRMEMORY
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Minimum memor y (MB) check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CRSPEED
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Minimum processor speed (MHz) check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only
variable is blank.
_TS_CRDISK
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Minimum free disk space (MB) check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only
variable is blank.
_TS_CROSTYPE
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Current OS to be refreshed is check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable
is blank.
_TS_CRARCH
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Architecture of current OS check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CRMINOSVER
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Minimum OS version check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.
_TS_CRMAXOSVER
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Maximum OS version check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.
_TS_CRCLIENTMINVER
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Minimum client version check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CROSLANGUAGE
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Language of current OS check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CRACPOWER
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the AC power plugged in check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is blank.
_TS_CRNETWORK
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Network adapter connected check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only variable is
blank.
_TS_CRUEFI
Starting in version 2006 Applies to the Check Readiness step.
A read-only variable for whether the Computer is in UEFI mode returned BIOS ( 0 ) or UEFI ( 1 ). If you don't enable the check, the value of this read-only variable is blank.
_TS_CRWIRED
Starting in version 2002
Applies to the Check Readiness step.
A read-only variable for whether the Network adapter is not wireless check returned true ( 1 ) or false ( 0 ). If you don't enable the check, the value of this read-only
variable is blank.
_TSAppInstallStatus
The task sequence sets this variable with the installation status for the application during the Install Application step. It sets one of the following values:
Undefined : The Install Application step hasn't run.
Error : At least one application failed because of an error during the Install Application step.
Warning : No errors occurred during the Install Application step. One or more applications, or a required dependency, didn't install because a requirement wasn't met.
Success : There are no errors or warnings detected during the Install Application step.
_TSSecureBoot
Starting in version 2002
Use this variable to determine the state of secure boot on a UEFI-enabled device. The variable can have one of the following values:
NA : The associated registry value doesn't exist, which means the device doesn't support secure boot.
Enabled : The device has secure boot enabled.
Disabled : The device has secure boot disabled.

OSDAdapter
Applies to the Apply Network Settings step.
(input)
This task sequence variable is an array variable. Each element in the array represents the settings for a single network adapter on the computer. Access the settings for each
adapter by combining the array variable name with the zero-based network adapter index and the property name.
If the Apply Network Settings step configures multiple network adapters, it defines the properties for the second network adapter by using the index 1 in the variable name.
For example: OSDAdapter1EnableDHCP, OSDAdapter1IPAddressList, and OSDAdapter1DNSDomain.
Use the following variable names to define the properties of the first network adapter for the step to configure:
OSDAdapter0EnableDHCP
This setting is required. Possible values are True or False . For example:
true : enable Dynamic Host Configuration Protocol (DHCP) for the adapter
OSDAdapter0IPAddressList
Comma-delimited list of IP addresses for the adapter. This property is ignored unless EnableDHCP is set to false . This setting is required.
OSDAdapter0SubnetMask
Comma-delimited list of subnet masks. This property is ignored unless EnableDHCP is set to false . This setting is required.
OSDAdapter0Gateways
Comma-delimited list of IP gateway addresses. This property is ignored unless EnableDHCP is set to false . This setting is required.
OSDAdapter0DNSDomain
Domain Name System (DNS) domain for the adapter.
OSDAdapter0DNSServerList
Comma-delimited list of DNS servers for the adapter. This setting is required.
OSDAdapter0EnableDNSRegistration
Set to true to register the IP address for the adapter in DNS.
OSDAdapter0EnableFullDNSRegistration
Set to true to register the IP address for the adapter in DNS under the full DNS name for the computer.
OSDAdapter0EnableIPProtocolFiltering
Set to true to enable IP protocol filtering on the adapter.
OSDAdapter0IPProtocolFilterList
Comma-delimited list of protocols allowed to run over IP. This property is ignored if EnableIPProtocolFiltering is set to false .
OSDAdapter0EnableTCPFiltering
Set to true to enable TCP port filtering for the adapter.
OSDAdapter0TCPFilterPortList
Comma-delimited list of ports to be granted access permissions for TCP. This property is ignored if EnableTCPFiltering is set to false .
OSDAdapter0TcpipNetbiosOptions
Options for NetBIOS over TCP/IP. Possible values are as follows:
0 : Use NetBIOS settings from DHCP server
1 : Enable NetBIOS over TCP/IP
2 : Disable NetBIOS over TCP/IP

OSDAdapter0EnableWINS
Set to true to use WINS for name resolution.
OSDAdapter0WINSServerList
Comma-delimited list of WINS server IP addresses. This property is ignored unless EnableWINS is set to true .
OSDAdapter0MacAddress
MAC address used to match settings to the physical network adapter.
OSDAdapter0Name
The name of the network connection as it appears in the network connections control panel program. The name is between 0 and 255 characters long.
OSDAdapter0Index
Index of the network adapter settings in the array of settings.
Example
OSDAdapterCount = 1
OSDAdapter0EnableDHCP = FALSE
OSDAdapter0IPAddressList = 192.168.0.40
OSDAdapter0SubnetMask = 255.255.255.0
OSDAdapter0Gateways = 192.168.0.1
OSDAdapter0DNSSuffix = contoso.com
OSDAdapterCount
Applies to the Apply Network Settings step.
(input)
Specifies the number of network adapters installed on the destination computer. When you set the OSDAdapterCount value, also set all the configuration options for each
adapter.
For example, if you set the OSDAdapter0TCPIPNetbiosOptions value for the first adapter, then you must configure all the values for that adapter.
If you don't specify this value, the task sequence ignores all OSDAdapter values.
OSDApplyDriverBootCriticalContentUniqueID
Applies to the Apply Driver Package step.
(input)
Specifies the content ID of the mass storage device driver to install from the driver package. If this variable isn't specified, no mass storage driver is installed.
OSDApplyDriverBootCriticalHardwareComponent
Applies to the Apply Driver Package step.
(input)
Specifies whether a mass storage device driver is installed, this variable must be scsi .
If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.
OSDApplyDriverBootCriticalID
Applies to the Apply Driver Package step.
(input)
Specifies the boot critical ID of the mass storage device driver to install. This ID is listed in the scsi section of the device driver's txtsetup.oem file.
If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.
OSDApplyDriverBootCriticalINFFile
Applies to the Apply Driver Package step.
(input)
Specifies the INF file of the mass storage driver to install.
If OSDApplyDriverBootCriticalContentUniqueID is set, this variable is required.
OSDAutoApplyDriverBestMatch
Applies to the Auto Apply Drivers step.
(input)
If there are multiple device drivers in the driver catalog that are compatible with a hardware device, this variable determines the step's action.
Valid values
true (default): Only install the best device driver
false : Installs all compatible device drivers, and Windows chooses the best driver to use
OSDAutoApplyDriverCategoryList
Applies to the Auto Apply Drivers step.
(input)
A comma-delimited list of the driver catalog category unique IDs. The Auto Apply Driver step only considers the drivers in at least one of the specified categories. This value
is optional, and it's not set by default. Obtain the available category IDs by enumerating the list of SMS_Categor yInstance objects on the site.
OSDBitLockerRebootCount
Applies to the Disable BitLocker step.
Starting in version 1906, use this variable to set the number of restarts after which to resume protection.
Valid values
An integer from 1 to 15 .
OSDBitLockerRebootCountOverride
Applies to the Disable BitLocker step.
Starting in version 1906, set this value to override the count set by the step or the OSDBitLockerRebootCount variable. While the other methods only accept values 1 to 15, if
you set this variable to 0, BitLocker remains disabled indefinitely. This variable is useful when the task sequence sets one value, but you want to set a separate value on a per-
device or per-collection basis.
Valid values
An integer from 0 to 15 .
OSDBitLockerRecoveryPassword
Applies to the Enable BitLocker step.
(input)
Instead of generating a random recovery password, the Enable BitLocker step uses the specified value as the recovery password. The value must be a valid numerical
BitLocker recovery password.
OSDBitLockerStartupKey
Applies to the Enable BitLocker step.
(input)
Instead of generating a random startup key for the key management option Star tup Key on USB only, the Enable BitLocker step uses the Trusted Platform Module (TPM)
as the startup key. The value must be a valid, 256-bit Base64-encoded BitLocker startup key.
OSDCaptureAccount
Applies to the Capture OS Image step.
(input)
Specifies a Windows account name that has permissions to store the captured image on a network share (OSDCaptureDestination). Also specify the
OSDCaptureAccountPassword.
For more information on the capture OS image account, see Accounts.
OSDCaptureAccountPassword
Applies to the Capture OS Image step.
(input)
Specifies the password for the Windows account (OSDCaptureAccount) used to store the captured image on a network share (OSDCaptureDestination).
OSDCaptureDestination
Applies to the Capture OS Image step.
(input)
Specifies the location where the task sequence saves the captured OS image. The maximum directory name length is 255 characters. If the network share requires
authentication, specify the OSDCaptureAccount and OSDCaptureAccountPassword variables.
OSDComputerName (input)
Applies to the Apply Windows Settings step.
Specifies the name of the destination computer.
Example
%_SMSTSMachineName% (default)
OSDComputerName (output)
Applies to the Capture Windows Settings step.
Set to the NetBIOS name of the computer. The value is set only if the OSDMigrateComputerName variable is set to true .
OSDConfigFileName
Applies to the Apply OS Image step.
(input)
Specifies the file name of the OS deployment answer file associated with the OS deployment image package.
OSDDataImageIndex
Applies to the Apply Data Image step.
(input)
Specifies the index value of the image that's applied to the destination computer.
OSDDiskIndex
Applies to the Format and Partition Disk step.
(input)
Specifies the physical disk number to be partitioned.
OSDDNSDomain
Applies to the Apply Network Settings step.
(input)
Specifies the primary DNS server that the destination computer uses.
OSDDNSSuffixSearchOrder
Applies to the Apply Network Settings step.
(input)
Specifies the DNS search order for the destination computer.
OSDDomainName
Applies to the Apply Network Settings step.
(input)
Specifies the name of the Active Directory domain that the destination computer joins. The specified value must be a valid Active Directory Domain Services domain name.
OSDDomainOUName
Applies to the Apply Network Settings step.
(input)
Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path.
Example
LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com

OSDDoNotLogCommand
Applies to the Install Package step.
Starting in version 1902
Applies to the Run Command Line step.
(input)
To prevent potentially sensitive data from being displayed or logged, set this variable to TRUE . This variable masks the program name in the smsts.log during an Install
Package step.
Starting in version 1902, when you set this variable to TRUE , it also hides the command line from the Run Command Line step in the log file.
OSDEnableTCPIPFiltering
Applies to the Apply Network Settings step.
(input)
Specifies whether TCP/IP filtering is enabled.
Valid values
true
false (default)
OSDGPTBootDisk
Applies to the Format and Partition Disk step.
(input)
Specifies whether to create an EFI partition on a GPT hard disk. EFI-based computers use this partition as the startup disk.
Valid values
true
false (default)
OSDImageCreator
Applies to the Capture OS Image step.
(input)
An optional name of the user who created the image. This name is stored in the WIM file. The maximum length of the user name is 255 characters.
OSDImageDescription
Applies to the Capture OS Image step.
(input)
An optional user-defined description of the captured OS image. This description is stored in the WIM file. The maximum length of the description is 255 characters.
OSDImageIndex
Applies to the Apply OS Image step.
(input)
Specifies the image index value of the WIM file that's applied to the destination computer.
OSDImageVersion
Applies to the Capture OS Image step.
(input)
An optional user-defined version number to assign to the captured OS image. This version number is stored in the WIM file. This value can be any combination of
alphanumeric characters with a maximum length of 32.
OSDInstallDriversAdditionalOptions
Applies to the Apply Driver Package step.
(input)
Specifies additional options to add to the DISM command line when applying a driver package. The task sequence doesn't verify the command-line options.
To use this variable, enable the setting, Install driver package via running DISM with recurse option , on the Apply Driver Package step.
For more information, see Windows 10 DISM Command-Line Options.
OSDJoinAccount
Applies to the following steps:
Apply Network Settings
Join Domain or Workgroup
(input)
Specifies the domain user account that's used to add the destination computer to the domain. This variable is required when joining a domain.
For more information on the task sequence domain joining account, see Accounts.
OSDJoinDomainName
Applies to the Join Domain or Workgroup step.
(input)
Specifies the name of an Active Directory domain the destination computer joins. The length of the domain name must be between 1 and 255 characters.
OSDJoinDomainOUName
Applies to the Join Domain or Workgroup step.
(input)
Specifies the RFC 1779 format name of the organizational unit (OU) that the destination computer joins. If specified, the value must contain the full path. The length of the OU
name must be between 0 and 32,767 characters. This value isn't set if the OSDJoinType variable is set to 1 ( join workgroup).
Example
LDAP://OU=MyOu,DC=MyDom,DC=MyCompany,DC=com

OSDJoinPassword
Applies to the following steps:
Apply Network Settings
Join Domain or Workgroup
(input)
Specifies the password for the OSDJoinAccount that the destination computer uses to join the Active Directory domain. If the task sequence environment doesn't include this
variable, then Windows Setup tries a blank password. If the variable OSDJoinType variable is set to 0 ( join domain), this value is required.
OSDJoinSkipReboot
Applies to the Join Domain or Workgroup step.
(input)
Specifies whether to skip restarting after the destination computer joins the domain or workgroup.
Valid values
true
false

OSDJoinType
Applies to the Join Domain or Workgroup step.
(input)
Specifies whether the destination computer joins a Windows domain or a workgroup.
Valid values
0 : Join the destination computer to a Windows domain
1 : Join the destination computer to a workgroup
OSDJoinWorkgroupName
Applies to the Join Domain or Workgroup step.
(input)
Specifies the name of a workgroup that the destination computer joins. The length of the workgroup name must be between 1 and 32 characters.
OSDKeepActivation
Applies to the Prepare Windows for Capture step.
(input)
Specifies whether sysprep keeps or resets the product activation flag.
Valid values
true : keep the activation flag
false (default): reset the activation flag
OSDLocalAdminPassword
Applies to the Apply Windows Settings step.
(input)
Specifies the local Administrator account password. If you enable the option to Randomly generate the local administrator password and disable the account on all
suppor ted platforms , then the step ignores this variable. The specified value must be between 1 and 255 characters.
OSDLogPowerShellParameters
Starting in version 1902
Applies to the Run PowerShell Script step.
(input)
To prevent potentially sensitive data from being logged, the Run PowerShell Script step doesn't log script parameters in the smsts.log file. To include the script parameters
in the task sequence log, set this variable to TRUE .
OSDMigrateAdapterSettings
Applies to the Capture Network Settings step.
(input)
Specifies whether the task sequence captures the network adapter information. This information includes configuration settings for TCP/IP, DNS, and WINS.
Valid values
true (default)
false

OSDMigrateAdditionalCaptureOptions
Applies to the Capture User State step.
(input)
Specify additional command-line options for the user state migration tool (USMT) that the task sequence uses to capture user state. The step doesn't expose these settings in
the task sequence editor. Specify these options as a string, which the task sequence appends to the automatically generated USMT command line for ScanState.
The USMT options specified with this task sequence variable aren't validated for accuracy prior to running the task sequence.
For more information on available options, see ScanState Syntax.
OSDMigrateAdditionalRestoreOptions
Applies to the Restore User State step.
(input)
Specifies additional command-line options for the user state migration tool (USMT) that the task sequence uses when restoring the user state. Specify the additional options
as a string, which the task sequence appends to the automatically generated USMT command line for LoadState.
The USMT options specified with this task sequence variable aren't validated for accuracy prior to running the task sequence.
For more information on available options, see LoadState Syntax.
OSDMigrateComputerName
Applies to the Capture Windows Settings step.
(input)
Specifies whether the computer name is migrated.
Valid values
true (default). The OSDComputerName (output) variable is set to the NetBIOS name of the computer.
false

OSDMigrateConfigFiles
Applies to the Capture User State step.
(input)
Specifies the configuration files used to control the capture of user profiles. This variable is used only if OSDMigrateMode is set to Advanced . This comma-delimited list value
is set to perform customized user profile migration.
Example
miguser.xml,migsys.xml,migapps.xml

OSDMigrateContinueOnLockedFiles
Applies to the Capture User State step.
(input)
If USMT can't capture some files, this variable allows the user state capture to proceed.
Valid values
true (default)
false
OSDMigrateContinueOnRestore
Applies to the Restore User State step.
(input)
Continue the process, even if USMT can't restore some files.
Valid values
true (default)
false

OSDMigrateEnableVerboseLogging
Applies to the following steps:
Capture User State
Restore User State
(input)
Enables verbose logging for USMT. The step requires this value.
Valid values
true
false (default)
OSDMigrateLocalAccounts
Applies to the Restore User State step.
(input)
Specifies whether the local computer account is restored.
Valid values
true
false (default)
OSDMigrateLocalAccountPassword
Applies to the Restore User State step.
(input)
If the OSDMigrateLocalAccounts variable is true , this variable must contain the password assigned to all migrated local accounts. USMT assigns the same password to all
migrated local accounts. Consider this password as temporary, and change it later by some other method.
OSDMigrateMode
Applies to the Capture User State step.
(input)
Allows you to customize the files that USMT captures.
Valid values
Simple : The task sequence only uses the standard USMT configuration files
Advanced : The task sequence variable OSDMigrateConfigFiles specifies the configuration files that USMT uses
OSDMigrateNetworkMembership
Applies to the Capture Network Settings step.
(input)
Specifies whether the task sequence migrates the workgroup or domain membership information.
Valid values
true (default)
false

OSDMigrateRegistrationInfo
Applies to the Capture Windows Settings step.
(input)
Specifies whether the step migrates user and organization information.
Valid values
true (default). The OSDRegisteredOrgName (output) variable is set to the registered organization name of the computer.
false

OSDMigrateSkipEncryptedFiles
Applies to the Capture User State step.
(input)
Specifies whether encrypted files are captured.
Valid values
true
false (default)
OSDMigrateTimeZone
Applies to the Capture Windows Settings step.
(input)
Specifies whether the computer time zone is migrated.
Valid values
 true (default). The variable OSDTimeZone (output) is set to the time zone of the computer.
false

OSDNetworkJoinType
Applies to the Apply Network Settings step.
(input)
Specifies whether the destination computer joins an Active Directory domain or a workgroup.
Value values
0 : Join an Active Directory domain
1 : Join a workgroup
OSDPartitions
Applies to the Format and Partition Disk step.
(input)
This task sequence variable is an array variable of partition settings. Each element in the array represents the settings for a single partition on the hard disk. Access the
settings defined for each partition by combining the array variable name with the zero-based disk partition number and the property name.
Use the following variable names to define the properties for the first partition that this step creates on the hard disk:
OSDPartitions0Type
Specifies the type of partition. This property is required. Valid values are Primary , Extended , Logical , and Hidden .
OSDPartitions0FileSystem
Specifies the type of file system to use when formatting the partition. This property is optional. If you don't specify a file system, the step doesn't format the partition. Valid
values are FAT32 and NTFS .
OSDPartitions0Bootable
Specifies whether the partition is bootable. This property is required. If this value is set to TRUE for MBR disks, then the step marks this partition as active.
OSDPartitions0QuickFormat
Specifies the type of format that is used. This property is required. If this value is set to TRUE , the step performs a quick format. Otherwise, the step performs a full format.
OSDPartitions0VolumeName
Specifies the name that's assigned to the volume when it's formatted. This property is optional.
OSDPartitions0Size
Specifies the size of the partition. This property is optional. If this property isn't specified, the partition is created using all remaining free space. Units are specified by the
OSDPar titions0SizeUnits variable.
OSDPartitions0SizeUnits
The step uses these units to interpret the OSDPar titions0Size variable. This property is optional. Valid values are MB (default), GB , and Percent .
OSDPartitions0VolumeLetterVariable
When this step creates partitions, it always uses the next available drive letter in Windows PE. Use this optional property to specify the name of another task sequence
variable. The step uses this variable to save the new drive letter for future reference.
If you define multiple partitions with this task sequence step, the properties for the second partition are defined by using the 1 index in the variable name. For example:
OSDPar titions1Type , OSDPar titions1FileSystem , OSDPar titions1Bootable , OSDPar titions1QuickFormat , and OSDPar titions1VolumeName .
OSDPartitionStyle
Applies to the Format and Partition Disk step.
(input)
Specifies the partition style to use when partitioning the disk.
Valid values
GPT : Use the GUID Partition Table style
MBR : Use the master boot record partition style
OSDProductKey
Applies to the Apply Windows Settings step.
(input)
Specifies the Windows product key. The specified value must be between 1 and 255 characters.
OSDRandomAdminPassword
Applies to the Apply Windows Settings step.
(input)
Specifies a randomly generated password for the local Administrator account in the new OS.
Valid values
true (default): Windows Setup disables the local Administrator account on the target computer
false : Windows Setup enables the local administrator account on the target computer, and sets the account password to the value of OSDLocalAdminPassword
OSDRegisteredOrgName (input)
Applies to the Apply Windows Settings step.
Specifies the default registered organization name in the new OS. The specified value must be between 1 and 255 characters.
OSDRegisteredOrgName (output)
Applies to the Capture Windows Settings step.
Set to the registered organization name of the computer. The value is set only if the OSDMigrateRegistrationInfo variable is set to true .
OSDRegisteredUserName
Applies to the Apply Windows Settings step.
(input)
Specifies the default registered user name in the new OS. The specified value must be between 1 and 255 characters.
OSDServerLicenseConnectionLimit
Applies to the Apply Windows Settings step.
(input)
Specifies the maximum number of connections allowed. The specified number must be in the range between 5 and 9999 connections.
OSDServerLicenseMode
Applies to the Apply Windows Settings step.
(input)
Specifies the Windows Server license mode that's used.
Valid values
PerSeat
PerServer

OSDSetupAdditionalUpgradeOptions
Applies to the Upgrade Operating System step.
(input)
Specifies the additional command-line options that are added to Windows Setup during a Windows 10 upgrade. The task sequence doesn't verify the command-line options.
For more information, see Windows Setup Command-Line Options.
OSDStateFallbackToNAA
Applies to the Request State Store step.
(input)
When the computer account fails to connect to the state migration point, this variable specifies whether the task sequence falls back to use the network access account (NAA).
For more information on the network access account, see Accounts.
Valid values
true
false (default)
OSDStateSMPRetryCount
Applies to the Request State Store step.
(input)
Specifies the number of times that the task sequence step tries to find a state migration point before the step fails. The specified count must be between 0 and 600.
OSDStateSMPRetryTime
Applies to the Request State Store step.
(input)
Specifies the number of seconds that the task sequence step waits between retry attempts. The number of seconds can be a maximum of 30 characters.
OSDStateStorePath
Applies to the following steps:
Capture User State
Release State Store
Request State Store
Restore User State
(input)
The network share or local path name of the folder where the task sequence saves or restores the user state. There is no default value.
OSDTargetSystemDrive
Applies to the Apply OS Image step.
(output)
Specifies the drive letter of the partition that contains the OS files after the image is applied.
OSDTargetSystemRoot (input)
Applies to the Capture OS Image step.
Specifies the path to the Windows directory of the installed OS on the reference computer. The task sequence verifies it as a supported OS for capture by Configuration
Manager.
OSDTargetSystemRoot (output)
Applies to the Prepare Windows for Capture step.
Specifies the path to the Windows directory of the installed OS on the reference computer. The task sequence verifies it as a supported OS for capture by Configuration
Manager.
OSDTimeZone (input)
Applies to the Apply Windows Settings step.
Specifies the default time zone setting that's used in the new OS.
Set the value of this variable to the language invariant name of time zone. For example, use the string in the Std value for a time zone under the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones .

OSDTimeZone (output)
Applies to the Capture Windows Settings step.
Set to the time zone of the computer. The value is set only if the OSDMigrateTimeZone variable is set to true .
OSDWindowsSettingsInputLocale
Applies to the Apply Windows Settings step.
Specifies the default input locale setting that's used in the new OS.
For more information on the Windows setup answer file value, see Microsoft-Windows-International-Core - InputLocale.
OSDWindowsSettingsSystemLocale
Applies to the Apply Windows Settings step.
Specifies the default system locale setting that's used in the new OS.
For more information on the Windows setup answer file value, see Microsoft-Windows-International-Core - SystemLocale.
OSDWindowsSettingsUILanguage
Applies to the Apply Windows Settings step.
Specifies the default user interface language setting that's used in the new OS.
For more information on the Windows setup answer file value, see Microsoft-Windows-International-Core - UILanguage.
OSDWindowsSettingsUILanguageFallback
Applies to the Apply Windows Settings step.
Specifies the fallback user interface language setting that's used in the new OS.
For more information on the Windows setup answer file value, see Microsoft-Windows-International-Core - UILanguageFallback.
OSDWindowsSettingsUserLocale
Applies to the Apply Windows Settings step.
Specifies the default user locale setting that's used in the new OS.
For more information on the Windows setup answer file value, see Microsoft-Windows-International-Core - UserLocale.
OSDWipeDestinationPartition
Applies to the Apply Data Image step.
(input)
Specifies whether to delete the files located on the destination partition.
Valid values
true (default)
false

OSDWorkgroupName
Applies to the Apply Network Settings step.
(input)
Specifies the name of the workgroup that the destination computer joins.
Specify either this variable or the OSDDomainName variable. The workgroup name can be a maximum of 32 characters.
SetupCompletePause
Applies to the Upgrade Operating System step.
Starting in version 1910, use this variable to address timing issues with the Window 10 in-place upgrade task sequence on high performance devices when Windows setup is
complete. When you assign a value in seconds to this variable, the Windows setup process delays that amount of time before it starts the task sequence. This timeout provides
the Configuration Manager client additional time to initialize.
The following log entries are common examples of this issue that you can remediate with this variable:
The TSManager component records entries similar to the following errors in the smsts.log :

Failed to initate policy evaluation for namespace 'root\ccm\policy\machine', hr=0x80041010

Error compiling client config policies. code 80041010
Task Sequence Manager could not initialize Task Sequence Environment. code 80041010

Windows setup records entries similar to the following errors in the setupcomplete.log :

Running C:\windows\CCM\\TSMBootstrap.exe to resume task sequence

ERRORLEVEL = -1073741701
TSMBootstrap did not request reboot, resetting registry
Exiting setupcomplete.cmd

SMSClientInstallProperties
Applies to the Setup Windows and ConfigMgr step.
(input)
Specifies the client installation properties that the task sequence uses when installing the Configuration Manager client.
For more information, see About client installation parameters and properties.
SMSConnectNetworkFolderAccount
Applies to the Connect To Network Folder step.
(input)
Specifies the user account that is used to connect to the network share in SMSConnectNetworkFolderPath. Specify the account password with the
SMSConnectNetworkFolderPassword value.
For more information on the task sequence network folder connection account, see Accounts.
SMSConnectNetworkFolderDriveLetter
Applies to the Connect To Network Folder step.
(input)
Specifies the network drive letter to connect to. This value is optional. If it's not specified, then the network connection isn't mapped to a drive letter. If this value is specified, the
value must be in the range from D to Z. Don't use X, it's the drive letter used by Windows PE during the Windows PE phase.
Examples
D:
E:

SMSConnectNetworkFolderPassword
Applies to the Connect To Network Folder step.
(input)
Specifies the password for the SMSConnectNetworkFolderAccount that is used to connect to the network share in SMSConnectNetworkFolderPath.
SMSConnectNetworkFolderPath
Applies to the Connect To Network Folder step.
(input)
Specifies the network path for the connection. If you need to map this path to a drive letter, use the SMSConnectNetworkFolderDriveLetter value.
Example
\\server\share

SMSInstallUpdateTarget
Applies to the Install Software Updates step.
(input)
Specifies whether to install all updates or only mandatory updates.
Valid values
All
Mandatory

SMSRebootMessage
Applies to the Restart Computer step.
(input)
Specifies the message to be displayed to users before restarting the destination computer. If this variable isn't set, the default message text is displayed. The specified message
can't exceed 512 characters.
Example
Save your work before the computer restarts.

SMSRebootTimeout
Applies to the Restart Computer step.
(input)
Specifies the number of seconds that the warning is displayed to the user before the computer restarts.
Examples
0 (default): Don't display a reboot message
60 : Display the warning for one minute
SMSTSAssignmentsDownloadInterval
The number of seconds to wait before the client attempts to download the policy since the last attempt that returned no policies. By default, the client waits 0 seconds before
retrying.
You can set this variable by using a prestart command from media or PXE.
SMSTSAssignmentsDownloadRetry
The number of times a client attempts to download the policy after no policies are found on the first attempt. By default, the client retries 0 times.
You can set this variable by using a prestart command from media or PXE.
SMSTSAssignUsersMode
Specifies how a task sequence associates users with the destination computer. Set the variable to one of the following values:
Auto : When the task sequence deploys the OS to the destination computer, it creates a relationship between the specified users and destination computer.
Pending : The task sequence creates a relationship between the specified users and the destination computer. An administrator must approve the relationship to set it.
Disabled : The task sequence doesn't associate users with the destination computer when it deploys the OS.
SMSTSDisableStatusRetry
In disconnected scenarios, the task sequence engine repeatedly tries to send status messages to the management point. This behavior in this scenario causes delays in task
sequence processing.
Set this variable to true and the task sequence engine doesn't attempt to send status messages after the first message fails to send. This first attempt includes multiple
retries.
When the task sequence restarts, the value of this variable persists. However, the task sequence tries sending an initial status message. This first attempt includes multiple
retries. If successful, the task sequence continues sending status regardless of the value of this variable. If status fails to send, the task sequence uses the value of this variable.
 NOTE
Task sequence status reporting relies upon these status messages to display the progress, history, and details of each step. If status messages fail to send, they're not queued. When
connectivity is restored to the management point, they're not sent at a later time. This behavior results in task sequence status reporting to be incomplete and missing items.

SMSTSDisableWow64Redirection
Applies to the Run Command Line step.
(input)
By default on a 64-bit OS, the task sequence locates and runs the program in the command line using the WOW64 file system redirector. This behavior allows the command to
find 32-bit versions of OS programs and DLLs. Setting this variable to true disables the use of the WOW64 file system redirector. The command finds native 64-bit versions
of OS programs and DLLs. This variable has no effect when running on a 32-bit OS.
SMSTSDownloadAbortCode
This variable contains the abort code value for the external program downloader. This program is specified in the SMSTSDownloadProgram variable. If the program returns an
error code equal to the value of the SMSTSDownloadAbortCode variable, then the content download fails and no other download method is attempted.
SMSTSDownloadProgram
Use this variable to specify an alternate content provider (ACP). An ACP is a downloader program that's used to download content. The task sequence uses the ACP instead of
the default Configuration Manager downloader. As part of the content download process, the task sequence checks this variable. If specified, the task sequence runs the
program to download the content.
SMSTSDownloadRetryCount
The number of times that Configuration Manager attempts to download content from a distribution point. By default, the client retries 2 times.
SMSTSDownloadRetryDelay
The number of seconds that Configuration Manager waits before it retries to download content from a distribution point. By default, the client waits 15 seconds before
retrying.
SMSTSDriverRequestConnectTimeOut
Applies to the Auto Apply Drivers step.
When requesting the driver catalog, this variable is the number of seconds the task sequence waits for the HTTP server connection. If the connection takes longer than the
timeout setting, the task sequence cancels the request. By default, the timeout is set to 60 seconds.
SMSTSDriverRequestReceiveTimeOut
Applies to the Auto Apply Drivers step.
When requesting the driver catalog, this variable is the number of seconds the task sequence waits for a response. If the connection takes longer than the timeout setting, the
task sequence cancels the request. By default, the timeout is set to 480 seconds.
SMSTSDriverRequestResolveTimeOut
Applies to the Auto Apply Drivers step.
When requesting the driver catalog, this variable is the number of seconds the task sequence waits for HTTP name resolution. If the connection takes longer than the timeout
setting, the task sequence cancels the request. By default, the timeout is set to 60 seconds.
SMSTSDriverRequestSendTimeOut
Applies to the Auto Apply Drivers step.
When sending a request for the driver catalog, this variable is the number of seconds the task sequence waits to send the request. If the request takes longer than the timeout
setting, the task sequence cancels the request. By default, the timeout is set to 60 seconds.
SMSTSErrorDialogTimeout
When an error occurs in a task sequence, it displays a dialog box with the error. The task sequence automatically dismisses it after the number of seconds specified by this
variable. By default, this value is 900 seconds (15 minutes).
SMSTSLanguageFolder
Use this variable to change the display language of a language neutral boot image.
SMSTSLocalDataDrive
Specifies where the task sequence stores temporary cache files on the destination computer while it's running.
Set this variable before the task sequence starts, such as by setting a collection variable. Once the task sequence starts, Configuration Manager defines the _SMSTSMDataPath
variable based on what the SMSTSLocalDataDrive variable was defined to.
SMSTSMP
Use this variable to specify the URL or IP address of the Configuration Manager management point.
SMSTSMPListRequestTimeoutEnabled
Applies to the following steps:
Install Application
Install Software Updates
(input)
If the client isn't on the intranet, use this variable to enable repeated MPList requests to refresh the client. By default, this variable is set to True .
When clients are on the internet, set this variable to False to avoid unnecessary delays.
SMSTSMPListRequestTimeout
Applies to the following steps:
Install Application
Install Software Updates
(input)
If the task sequence fails to retrieve the management point list (MPList) from location services, this variable specifies how many milliseconds it waits before it retries the step.
By default, the task sequence waits 60000 milliseconds (60 seconds) before it retries. It retries up to three times.
SMSTSPeerDownload
Use this variable to enable the client to use Windows PE peer cache. Setting this variable to true enables this functionality.
SMSTSPeerRequestPort
A custom network port that Windows PE peer cache uses for the initial broadcast. The default port configured in client settings is 8004 .
SMSTSPersistContent
Use this variable to temporarily persist content in the task sequence cache. This variable is different from SMSTSPreserveContent, which keeps content in the Configuration
Manager client cache after the task sequence is complete. SMSTSPersistContent uses the task sequence cache, SMSTSPreserveContent uses the Configuration Manager client
cache.
SMSTSPostAction
Specifies a command that's run after the task sequence completes. For example, specify shutdown.exe /r /t 30 /f to restart the computer 30 seconds after the task sequence
completes.
SMSTSPreferredAdvertID
Forces the task sequence to run a specific targeted deployment on the destination computer. Set this variable through a prestart command from media or PXE. If this variable
is set, the task sequence overrides any required deployments.
SMSTSPreserveContent
This variable flags the content in the task sequence to be kept in the Configuration Manager client cache after the deployment. This variable is different from
SMSTSPersistContent, which only keeps the content for the duration of the task sequence. SMSTSPersistContent uses the task sequence cache, SMSTSPreserveContent uses
the Configuration Manager client cache. Set SMSTSPreserveContent to true to enable this functionality.
SMSTSRebootDelay
Specifies how many seconds to wait before the computer restarts. If this variable is zero (0), the task sequence manager doesn't display a notification dialog before reboot.
Example
0 : don't display a notification
60 : display a notification for one minute
SMSTSRebootDelayNext
Starting in version 1906, use this variable with the existing SMSTSRebootDelay variable. If you want any later reboots to happen with a different timeout than the first, set
SMSTSRebootDelayNext to a different value in seconds.
Example
You want to give users a 60-minute reboot notification at the start of a Windows 10 in-place upgrade task sequence. After that first long timeout, you want additional timeouts
to only be 60 seconds. Set SMSTSRebootDelay to 3600 , and SMSTSRebootDelayNext to 60 .
SMSTSRebootMessage
Specifies the message to display in the restart notification dialog. If this variable isn't set, a default message appears.
Example
The task sequence is restarting this computer

SMSTSRebootRequested
Indicates that a restart is requested after the current task sequence step is completed. If the task sequence step requires a restart to complete the action, set this variable. After
the computer restarts, the task sequence continues to run from the next task sequence step.
HD : Restart to the installed OS
WinPE : Restart to the associated boot image
SMSTSRetryRequested
Requests a retry after the current task sequence step is completed. If this task sequence variable is set, also set the SMSTSRebootRequested variable to true . After the
computer is restarted, the task sequence manager reruns the same task sequence step.
SMSTSRunCommandLineAsUser
Starting in version 2002
Applies to the Run Command Line step.
Use task sequence variables to configure the user context for the Run Command Line step. You don't need to configure the Run Command Line step with a placeholder
account to use the SMSTSRunCommandLineUserName and SMSTSRunCommandLineUserPassword variables.
Configure SMSTSRunCommandLineAsUser with one of the following values:
true : Any further Run Command Line steps run in the context of the user specified in SMSTSRunCommandLineUserName .
false : Any further Run Command Line steps run in the context that you configured on the step.
SMSTSRunCommandLineUserName
Applies to the Run Command Line step.
(input)
Specifies the account by which the command line is run. The value is a string of the form username or domain\username. Specify the account password with the
SMSTSRunCommandLineUserPassword variable.

NOTE
Starting in version 2002, use the SMSTSRunCommandLineAsUser variable with this variable to configure the user context for this step.
In version 1910 and earlier, configure the Run Command Line step with the setting to Run this step as the following account . When you enable this option, if you're setting the user
name and password with variables, specify any value for the account.

For more information on the task sequence run-as account, see Accounts.
SMSTSRunCommandLineUserPassword
Applies to the Run Command Line step.
(input)
Specifies the password for the account specified by the SMSTSRunCommandLineUserName variable.
SMSTSRunPowerShellAsUser
Starting in version 2002
Applies to the Run PowerShell Script step.
Use task sequence variables to configure the user context for the Run PowerShell Script step. You don't need to configure the Run PowerShell Script step with a
placeholder account to use the SMSTSRunPowerShellUserName and SMSTSRunPowerShellUserPassword variables.
Configure SMSTSRunPowerShellAsUser with one of the following values:
true : Any further Run PowerShell Script steps run in the context of the user specified in SMSTSRunPowerShellUserName .
false : Any further Run PowerShell Script steps run in the context that you configured on the step.
SMSTSRunPowerShellUserName
Applies to the Run PowerShell Script step.
(input)
Specifies the account by which the PowerShell script is run. The value is a string of the form username or domain\username. Specify the account password with the
SMSTSRunPowerShellUserPassword variable.

NOTE
To use these variables, configure the Run PowerShell Script step with the setting to Run this step as the following account . When you enable this option, if you're setting the user name
and password with variables, specify any value for the account.

For more information on the task sequence run-as account, see Accounts.
SMSTSRunPowerShellUserPassword
Applies to the Run PowerShell Script step.
(input)
Specifies the password for the account specified by the SMSTSRunPowerShellUserName variable.
SMSTSSoftwareUpdateScanTimeout
Applies to the Install Software Updates step.
(input)
Control the timeout for the software updates scan during this step. For example, if you expect numerous updates during the scan, increase the value. The default value is 3600
seconds (60 minutes). The variable value is set in seconds.
SMSTSUDAUsers
Specifies the primary users of the destination computer by using the following format: <DomainName>\<UserName> . Separate multiple users by using a comma ( , ). For more
information, see Associate users with a destination computer.
Example
contoso\jqpublic, contoso\megb, contoso\janedoh

SMSTSWaitForSecondReboot
Applies to the Install Software Updates step.
(input)
This optional task sequence variable controls client behavior when a software update installation requires two restarts. Set this variable before this step to prevent a task
sequence from failing because of a second restart from software update installation.
Set the SMSTSWaitForSecondReboot value in seconds to specify how long the task sequence pauses on this step while the computer restarts. Allow sufficient time in case
there's a second restart.
For example, if you set SMSTSWaitForSecondReboot to 600 , the task sequence pauses for 10 minutes after a restart before additional steps run. This variable is useful when a
single Install Software Updates task sequence step installs hundreds of software updates.

NOTE
This variable only applies to a task sequence that deploys an OS. It doesn't work in a custom task sequence.

TSDebugMode
Starting in version 1906, set this variable to TRUE on a collection or computer object to which the task sequence is deployed. Any device that has this variable set will put any
task sequence deployed to it into debug mode.
For more information, see Debug a task sequence.
TSDebugOnError
Starting in version 1910, set this variable to TRUE to automatically start the task sequence debugger when the task sequence returns an error.
Set this variable using:
The Set Task Sequence Variable step
A collection variable. For more information, see How to set variables.
TSDisableProgressUI
Use this variable to control when the task sequence displays progress to end users. To hide or display progress at different times, set this variable multiple times in a task
sequence.
true : Hide task sequence progress
false : Display task sequence progress
TSErrorOnWarning
Applies to the Install Application step.
(input)
Specify whether the task sequence engine considers a detected warning as an error during this step. The task sequence sets the _TSAppInstallStatus variable to Warning when
one or more applications, or a required dependency, didn't install because it didn't meet a requirement. When you set this variable to True , and the task sequence sets
_TSAppInstallStatus to Warning , the outcome is an error. A value of False is the default behavior.
TSProgressInfoLevel
Starting in version 2002
Specify this variable to control the type of information that the task sequence progress window displays. Use the following values for this variable:
1 : Include the current step and total steps to the progress text. For example, 2 of 10 .
2 : Include the current step, total steps, and percentage completed. For example, 2 of 10 (20% complete) .
3 : Include the percentage completed. For example, (20% complete) .

TSUEFIDrive
Use on the properties of a FAT32 partition in the Variable field. When the task sequence detects this variable, it prepares the disk for transition to UEFI before it restarts the
computer. For more information, see Task sequence steps to manage BIOS to UEFI conversion.
WorkingDirectory
Applies to the Run Command Line step.
(input)
Specifies the starting directory for a command-line action. The specified directory name can't exceed 255 characters.
Examples
C:\
%SystemRoot%

Deprecated variables
The following variables are deprecated:
OSDAllowUnsignedDriver : Isn't used when deploying Windows Vista and later operating systems
OSDBuildStorageDriverList : Only applies to Windows XP and Windows Server 2003
OSDDiskpar tBiosCompatibilityMode : Only needed when deploying Windows XP or Windows Server 2003
OSDInstallEditionIndex : Not needed post-Windows Vista
OSDPreser veDriveLetter : For more information, see OSDPreserveDriveLetter
OSDPreserveDriveLetter

IMPORTANT
This task sequence variable is deprecated.
During an OS deployment, by default, Windows Setup determines the best drive letter to use (typically C:).

Previous behavior: when applying an image, the OSDPreverveDriveLetter variable determines whether the task sequence uses the drive letter captured in the image file
(WIM). Set the value for this variable to false to use the location that you specify for the Destination setting in the Apply Operating System task sequence step. For more
information, see Apply OS image.

See also
Task sequence steps
Using task sequence variables
Planning considerations for automating tasks
 Prestart commands for task sequence media in
Configuration Manager
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

You can create a prestart command in Configuration Manager to use with boot media, stand-alone media, and
prestaged media. The prestart command is a script or executable that runs before the task sequence is selected
and can interact with the user in Windows PE. The prestart command can prompt a user for information and save
it in the task sequence environment or query a task sequence variable for information. When the destination
computer boots, the command-line is run before the policy is downloaded from the management point. Use the
following procedures to create a script to use for the prestart command, distribute the content associated with
the prestart command, and configure the prestart command in media.

Create a script file to use for the Prestart Command

Task sequence variables can be read and written by using the Microsoft.SMS.TSEnvironment COM object while
the task sequence is running. The following example illustrates a Visual Basic script file that queries the
_SMSTSLogPath task sequence variable to get the current log location. The script also sets a custom variable.

dim osd: set env = CreateObject("Microsoft.SMS.TSEnvironment")

dim logPath
' You can query the environment to get an existing variable.
logPath = env("_SMSTSLogPath")
' You can also set a variable in the OSD environment.
env("MyCustomVariable") = "varname"

Create a Package for the Script File and Distribute the Content
After you create the script or executable for the prestart command, you must create a package source to host the
files for the script or executable, create a package for the files (no program required), and then distribute the
content to a distribution point.
For more information about creating a package, see Packages and programs.
For more information about distributing content, see Distribute content.

Configure the Prestart Command in Media

You can configure a prestart command in the Create Task Sequence Media Wizard for stand-alone media,
bootable media, or prestaged media. For more information about the media types, see Create task sequence
media. Use the following procedure to create a prestart command in media.
To create a prestart command in media
1. In the Configuration Manager console, click Software Librar y .
2. In the Software Librar y workspace, expand Operating Systems , and then click Task Sequences .
3. On the Home tab, in the Create group, click Create Task Sequence Media to start the Create Task
Sequence Media Wizard.
4. On the Select Media Type page, select Stand-alone media , Bootable media , or Prestaged media ,
 and then click Next .
5. Navigate to the Customization page of the wizard. For more information about configuring the other
pages in the wizard, see Create task sequence media.
6. On the Customization page, specify the following information, and then click Next .
Select Enable prestar t command .
In the Command line text box, enter the script or executable that you created for the prestart
command.

IMPORTANT
Use cmd /C <prestar t command> to specify the prestart command. For example, if you used
TSScript.vbs as the name for your prestart command script, you would enter cmd /C TSScript.vbs for the
command line. Where cmd /C opens a new Windows command interpreter window and uses the Path
environment variable to find the prestart command script or executable. You can also specify the full path to
the prestart command, but the drive letter could be different on computers with different drive
configurations.

Select Include files for the prestar t command .

Click Set to select the package that is associated with the prestart command files.
Click Browse to select the distribution point that hosts the content for the prestart command.
7. Complete the wizard.
 Provisioning mode
9/4/2020 • 2 minutes to read • Edit Online

Applies to: Configuration Manager (current branch)

During an OS deployment task sequence, Configuration Manager places the client in provisioning mode. (An OS
deployment task sequence includes in-place upgrade to Windows 10.) In this state, the client doesn't process policy
from the site. This behavior allows the task sequence to run without risk of additional deployments running on the
client. When the task sequence completes, either success or handled failure, it exits client provisioning mode.
If the task sequence unexpectedly fails, the client can be left in provisioning mode. For example, if the device
restarts in the middle of task sequence processing, and it's unable to recover. An administrator must manually
identify and fix clients in this state.

Manually remove provisioning mode

If a client is left in provisioning mode, use this manual process to return the client to normal operation.

Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList $false

IMPORTANT
One of the changes made by this WMI method is setting a registry value, but it makes other changes as well. Just changing
the registry value doesn't fully take the client out of provisioning mode. If you manually edit the registry, the client may
exhibit unexpected behaviors.

Client provisioning mode timeout

Starting in version 1902, the task sequence sets a timestamp when it puts the client in provisioning mode. Every
60 minutes, a client in provisioning mode checks the duration of time since the timestamp. If it's been in
provisioning mode for more than 48 hours, the client automatically exits provisioning mode and restarts its
process.
48 hours is the default provisioning mode timeout value. You can adjust this timer on a device by setting the
ProvisioningMaxMinutes value in the following registry key: HKLM\Software\Microsoft\CCM\CcmExec . If this value
doesn't exist or is 0 , the client uses the default 48 hours.
The timestamp ProvisioningEnabledTime is located in the following registry key:
HKLM\Software\Microsoft\CCM\CcmExec . The timestamp has a value of the last time the machine entered provisioning
mode. The format is epoch (Unix timestamp) and is in UTC.
This timestamp is also reset to the current time when you manually place the machine in provisioning mode by
using the following command:

Invoke-WmiMethod -Namespace root\CCM -Class SMS_Client -Name SetClientProvisioningMode -ArgumentList $true

Process flow diagrams

These diagrams show the process flow for the task sequence and the client.
Task sequence
The following diagram shows how the task sequence sets provisioning mode:

Client remediation
The following diagram shows how the client exits provisioning mode:
See also
Setup Windows and ConfigMgr
Upgrade Operating System