Some times you want to execute a script after the MDT Task Sequence is completed, for example to cleanup any setup leftovers or to configure a user for autologon (something that MDT by default prevents).
This script will clean out any leftover C:\MININT or C:\_SMSTaskSequence folders, enable (optional) autologon with another user account, and then do a proper final reboot…
Note: For the script to work, you need to set SkipFinalSummary=YES and make sure the FinishAction variable is not set in CustomSettings.ini.
Download from:
https://github.com/DeploymentResearch/DRFiles/tree/master/Scripts/FinalConfigurationForMDT
Add the script to Deployment Workbench
Adding the script is quite straightforward, just add it as an application and then call the app as your last action in the Task Sequence. In this example my MDT server is named MDT01, and my deployment share is named MDT production. For these steps I assume you have downloaded the files from GitHub and extracted it to C:\Setup\Final Configuration for MDT.
- Using the Deployment Workbench, in the MDT Production node, select the Applications node, and create a folder named ViaMonstra.
- Expand the Applications node, right-click the ViaMonstra folder, and select New Application, Use the following settings for the New Application Wizard.
- Application with source files
- Publisher:
- Application name: Final Configuration for MDT
- Version:
- Language:
- Source Directory: C:\Setup\Final Configuration for MDT
- Specify the name of the directory that should be created: Final Configuration for MDT
- Command Line: cscript.exe Invoke-FinalConfiguration.wsf
- Working directory:
Configure the task sequence to use the script
After the application is added you simply add the application as your last action in the Task Sequence. In this example I'm adding the script to my Windows 8.1 Enterprise x64 task sequence which I created in a folder (node) named Windows 8.1.
- Using the Deployment Workbench, in the MDT Production node, select the Task Sequences / Windows 8.1 node
- Right-click the Windows 8.1 Enterprise x64 task sequence, and select Properties.
- After the last action in the task sequence, add a new Install Application action with the following settings:
- Name: Final Configuration for MDT
- Install a Single Application: Final Configuration for MDT
- Click OK.
Optional configuration, enabling autologon for another user account
If you want to enable another user for autologon, simply uncomment lines 113-120 in the FinalConfig.hta file, and change the user/domain and password. If you want to logon with a local user, set domain to "." Here is an example for a normal domain account.
StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Enable autologon for another user account."
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", 1, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCount", 999, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", "Johan", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "VIAMONSTRA", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword", "P@ssw0rd", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceAutoLogon", 1, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD", 1, "REG_DWORD"Happy Deployment! / Johan
Great tool, it would be great if you could look into the 22H2 support because .HTA are opened by MSHTA.exe and rendered by HSHTML and MS has no support for it anymore.
There is now a fix available for the MDT Lite Touch script issue. See the official docs here for a workaround: https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/configmgr/mdt/known-issues.md
does this script only with reference images that were previously syspreped or can you do a bare metal install if Windows via MDT?
The script works with both default images as well as captured images.
Great, I'm having a difficult time getting it to run on either. It just errors out with a generic error.
MDT 2013 does not support Windows 10 at all, you would have to be on MDT 8456. Anyway, I've made some minor updates to the script as well as the instructions and verified that it works on Windows 10 21H2.
I can get this to run on Windows 10 21H2, using MDT 2013. I get the following errors.
<![LOG[Application Final Configuration DMPFGUACPTRFfor MDT 2013 returned an unexpected return code: 1]LOG]!><time="12:06:23.000+000" date="09-13-2022" component="ZTIApplications" context="" type="3" thread="" file="ZTIApplications">
Great addition to my MDT collection, no doubt about that. However, I'd like to know if you experimented with parameters yet? I want to assign the username, optional domain and password in my TS and let your tool do the autologon magic "dynamically".
EDIT: Does your script need the LTICleanup Autologon section commented out or doesn't it care at all
You can absolutely send any variable to this script since it's started from the task sequence. As far modifying the LTICleanup code that is not needed, since the script runs after that.
I am failing to understand where the config.hta comes to play and where it should be placed. I am trying to get the deployed machine to accept an auto logon for a local user, but there is no mention where the Config.hta should be place?
Hi Adam,
Just add it to the scripts folder in your deployment share.
Thanks for this great article and the application package that suite perfectly my needs.
For your information, when setting FinishAction=REBOOT, MDT will cleanup and restart the computer in parallel of the execution of your script, leading to a non working autologon (most of the time).
To make it work, I have added specifically in my TS a Set task sequence variable action with FinishAction=<EMPTY>.
Maybe you could had some information about this scpeficic usecase.
Thanks again!
If you need a reboot for this scenario, I recommend adding that to the final configuration feature instead of using the FinishAction variable. It's a good tip to add in a hardcoded variable in the event someone adds it.
Hello Johan,
I have a question regarding MDT vbs scripts, I made a shortcut to mdt via a desktop icon and whenever I run a task sequence the computer always reboots. How do I stop this from happening?
It can be many reasons but check what the FinishAction variable is set to in your cs.ini file.
Why is it necessary to set SKIPFINALSUMMARY to "YES". Can the script not run with SKIPFINALSUMMARY set to "NO" ? why you made the check from this setting ?
The check was there to make sure MDT finished with its cleanup etc. before launching a script that reboots the computer etc. You might get away by removing the check, but it's not something I've tested.
/ Johan
Hi john
I encountered some problems. I added a command under new computer only—->validate to clear the original information of the disk. diskpart.exe select disk 0 clean exit looks like this, and everything goes well. But after entering the system, I found that I lost my ip address, the applications were not executed, and the MIMINT folder appeared on the D drive. Do you know what the problem is?
This script should be the last action of the task sequence, and the script does nothing to disk or network, so I'm a bit confused about the issues you're seeing. Please reach out to me on LinkedIn, and I'll see what I can do to help you.
i have used that script and it works successfully, i have upgraded windows 7 to windows 10 with mdt and added that script as the last task. but i am having an error message after each restart saying "cannot find the script c:\minint\scripts\litetouch.wsf"
i make sure that the customsettings.ini under the deployment share has the value for skipfinalsummary is set to yes.
am i missing something here, any ideas how to solve that please.
Sorry, I have not tested this script with upgrade task sequences, only the standard client ones (bare metal). My best guess is that the cleanup script of MDT does not run correctly, so there is still an entry to run it again.
Hey Johan,
Great scripts and process. I found that the return code from "Configure-FinalConfig.wsf" is not working correctly and leaving an error. iZTIRetValue must equal 0 or 1, but not as a string. You can also use Success or Failure as you know. But using "0" or "1" as a string does not exit with valid return codes.
Cheers, Jeremy
Thanks, fixed the code, and also moved it to GitHub: https://github.com/DeploymentResearch/DRFiles/tree/master/Scripts/Final%20Configuration%202013
Hey Johan Great Script! I have tried to enable Autologon for a workgroup TS by using your script but it doesn't seem to work :-/ During the TS a have a PS script which creates the local user. I have installed your script like told above and edited the HTA file with my infos for the local user. The user get created and your script is started but I can see in the LOG file ut writes "ZTI ERROR – Non-zero return code by Configure-FinalConfig". I can't figure out where I have made a mistake :-/ Can you give me… Read more »
I haven't tested this on workgroup machines, but ping me on LinkedIn, and I'll see what I can do to help.
Hi Johan,
regarding automatic login for another user account.
How should I proceed on the script?
where should I put your lines of text in the script?
Simply uncomment line 113-120 in the FinalConfig.hta file, and edit the values
Hi Anry,
Don't know about that one, please email me the bdd.log and I can take a quick look
/ Johan
Hi Cindy,
The only thing that comes to mind is the timeout, try increasing it in the HTA.
Change line 80 to iTimerID = window.setInterval("Configuration",45000)
/ Johan
Windows 7 image finishes successfully with only 1 error in EventViewer from the Final Config script.
ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0
Would can be the reason?
SkipFinalSummary=YES is set
Hello Johan,
Great script!!! It is working great on our Windows 7 and Windows 8.1 deployments but fails on only laptops. Can you enlighten me on what I am doing wrong?
Thank you,
Cindy
No, the LTI cleanup process runs after the task sequences is finished, that's why should use this HTA instead. And please stop using batch files, use PowerShell or VBScript.
/ Johan
Can I add a batch script that runs at the end of the task sequence so I can achieve autologon?
The whole point of the HTA is to run after the task sequence completes. E.g. there is no task sequence object.
If you want to pass task seqeuence parameters to the HTA, do what I do in the script for the domain value. E.g. have the vbscript that runs during the task sequence read the variables, and pass them as arguments to the HTA.
/ Johan
Hello Johan, For my Windows 8.1 LTI deploy on a Surface Pro 3, I tweaked the FinalConfig.hta file in an attempt to use dynamic admin username (OSDJoinAccount) and password (OSDJoinPassword) to populate the registry with Autologon info. Logic is that I would obtain these TS properties by including the following in the FinalConfig.hta file: Set TSEnv = CreateObject("Microsoft.SMS.TSEnvironment")sAdminAccountPassword = TSEnv("OSDJoinPassword")sAdminAccount = TSEnv("OSDJoinAccount") But it fails with an "ActiveX component can't create object: Microsoft.SMS.TSenvironment" error. So I thought maybe its caused by cscript.exe running as 64-bit process in a 32-bit environment…so I updated my "Final Configuration for 2013" command line to:… Read more »
If you cannot use the built-in logon dialog box (that sets the userdomain, userid, and userpassword variables), you need to pop-up a dialog box (HTA or VBScript), or modify the default wizard to ask for additional user info, and set those as custom variables.
Then you need modify the final configuration to read to variables and use them. As an example you can see how the VBScripts reads the domain variable and passes it over to the HTA.
/ Johan
So i am interested in the prompt for username/password for the auto login section of the hta. but I am unsure of how to go about that. could you help me out with that?
You can have the vbscript pass those variables to the HTA (as arguments), like I do with the domain value.
/ Johan
Johan, As always…thanks for all the tips/tricks and advice. Your Final Configuration script works great for scenarios where we are okay with hardcoding username and password (e.g. testing in DEV environment) but in our government department, we have many installers so we need dynamic DefaultUserName and DefaultPassword. In my Windows 7 (MDT 2010) TS, I used a VBScript that wrote the autologon data based on the installers username and password provided in the "User Credentials" wizard. I create the "Microsoft.SMS.TSEnvironment" object and then set the variables : sAdminAccountPassword = oSccmTSE("OSDJoinPassword") and sAdminAccount = oSccmTSE("OSDJoinAccount"). So when I try use the… Read more »
Hard to say, and btw, you don't need to update the boot images when changing a task sequence.
Mail me the log files and I can take a quick look (contact info on the abut page).
/ Johan
I have followed all the steps, added SkipFinalSummary=YES to my Deployment Share Rules, added the steps to the Task Sequence, rebuilt the boot images, and I can't get this to work. Everything images as needed, but then just sits at the desktop of the newly imaged computer. I don't see any popups. What could I be missing?
I have the excact same problem as "femilovechild" from 7/17/2014:
ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0
Event 41002 sent: ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0 Configure-FinalConfig
As far as I could see you have answered offline. Could You please provide me the same answer. Thanks
Sorry, don't know, haven't tried
/ Johan
I was wondering if there is a way to reduce the amountnumber of autologons down 3. I like the feature and used to do something similar using the unattend.xml file before I met MDT. Just for info I tried adjusting the 999 value to 3. To test I just created a custom task sequence and ran the litetouch.vbs script from an already built win 8-1 vm which did have the FinalConfig set as the last task. This however didn't seem to make a difference. I am probably missing something really easy. Many thanks on your generous contribution, I like many… Read more »
Sure, you can prompt for variables, that then are written to the registry by the script.
/ Johan
Great work! It there any way that this can be tweaked to have it prompt you for default username and default password each time before it reboots and logs the person in?
Thanks!
Haven't tried in SCCM, but you could try using this script: http://www.windows-noob.com/forums/index.php?/topic/2804-setting-up-autologin-at-the-end-of-sccm-osd/
/ Johan
Until recently, we used SCCM TS to Build and capture our reference image. During deployment TS using SCCM, we would populate the previous noted Winlogon keys and then use the TS restart computer step to reboot and the computer would successfully autologin. Now we have built our reference image using MDT 2013, and imported into sccm to deploy. The same SCCM TS, and the autologin keys get reset on the last reboot and no autologin. What process is resetting the keys at the end of the SCCM TS? Any suggestions on getting this to work with SCCM? P.S> I've never… Read more »
You can absolutely modify the script to take parameters sent from MDT. If you want example, check the previous version of this HTA which took the domain parameter sent from MDT and used that in the HTA. https://deploymentresearch.com/Research/tabid/62/EntryId/17/Final-Configuration-for-MDT-2010-Lite-Touch.aspx
/ Johan
Thank you for this autologin config, it has helped tremendously.
I manage an environment where we have multiple AD accounts that autologin to computers using mandatory profiles. With this in mind, is it possible to have your script insert autologon reg keys depending on computer name, OU, or application package chosen from MDT wizard?
Thanks!!
Sorry, this example only works in MDT Lite Touch.
/ Johan
Can i use this in SCCM TS without MDT integration : If i copy files needed from MDT lib and make my own package.
If above Works which files is then needed?. ZTIUtility.vbs, LTICleanup.wsf..
/ Anders
Jurgen, works with both Windows 7 and Windows 8.1 (and Windows Server)
/ Johan
Hmm, I haven't tested the script on a workgroup machine, did you have the task sequence (or the script) create the local Student user with a blank password as well? Anyway, send me an email, and I can followup offline. You find the contact details in the About page.
/ Johan
Thanks for all the knowledge you have been impacting. I have a problem with the script on MDT 2013 deploying standalone laptops Windows 7. I get the following error in the log file;ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0Event 41002 sent: ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0 Configure-FinalConfigThe laptop does not do autologon even though I have uncommented the section to run the autologon script i.e; ' Enable autologon for another user account (comment out these lines) StatusArea.InnerHTML=StatusArea.InnerHTML & "" & "Enable autologon for another user account." oShell.RegWrite "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAutoAdminLogon", 1,… Read more »
Hi Johan,
Is this script specifically written with Windows 8 in mind or will it also work with Windows 7?
Jurgen
To the default MDT log files locations: C:MININTSMSOSDOSDLOGS during deployment (in running Windows), and C:WindowsTempDeploymentLogs after a completed deployment.
/ Johan
Where are the log files being written to?
Yes, you should remove FinishAction=Reboot.
/ Johan
Should you remove FinishAction=Reboot from cs.ini if using this script?
You can set the default username, or clear the username info via registry/policies.
/ Johan
I join my domain during MDT. However, when MDT is completed and reboots (FinishAction=Reboot) the computer comes up with default username as the local administrator. I want the default login method to be to our domain. In fact, shouldn't we be disabling local administrator? Thanks!
That worked, thank you!
Uncommenting means remove the ' character before line 113 – 120, so that they looks like the sample in the end of the article.
/ Johan
Hi Johan,
first of all I would like to thank you because after I started learning MS deployment solutions, about 3 weeks ago, you have been an invaluable resource.
Can you please help me, I am trying to autologin with an ITAdmin local account that is created at first boot, when you say "If you want to enable another user for autologon, simply uncomment those lines in the FinalConfig.hta file" I don't really understand, and what I have tried does not work. Can you please give me an example?!
Thanks again!
/ Frank