Final Configuration for MDT 2013 Lite Touch, now with Autologon support

Some times you want to execute a script after the MDT 2013 Task Sequence is completed, for example to cleanup any setup leftovers or to configure a user for autologon (something that MDT by default prevents).

Note: This also works in later MDT versions.

This script will clean out any leftover C:\MININT or C:\_SMSTaskSequence folders, enable (optional) autologon with another user account, disable setup wizard for Microsoft Security Essentials (if added to the reference image) and then do a proper final reboot…

Note: For the script to work, you need to set SkipFinalSummary=YES in CustomSettings.ini (the script will check for it)

Download from:
https://github.com/DeploymentResearch/DRFiles/tree/master/Scripts/Final%20Configuration%202013

image
The Final Configuration Utility for MDT 2013 in action.

Add the script to Deployment Workbench

Adding the script is quite straightforward, just add it as an application and then call the app as your last action in the Task Sequence. In this example my MDT server is named MDT01, and my deployment share is named MDT production. For these steps I assume you have downloaded the script and extracted it to D:\Setup\Final Configuration 2013.

  1. Using the Deployment Workbench, in the MDT Production node, select the Applications node, and create a folder named ViaMonstra.
  2. Expand the Applications node, right-click the ViaMonstra folder, and select New Application, Use the following settings for the New Application Wizard.
    1. Application with source files
    2. Publisher:
    3. Application name: Final Configuration for MDT 2013
    4. Version:
    5. Language:
    6. Source Directory: D:\Setup\Final Configuration 2013
    7. Specify the name of the directory that should be created: Final Configuration for MDT 2013
    8. Command Line: cscript.exe Configure-FinalConfig.wsf
    9. Working directory:
image
The application added to the Deployment Workbench.

Configure the task sequence to use the script

After the application is added you simply add the application as your last action in the Task Sequence. In this example I'm adding the script to my Windows 8.1 Enterprise x64 task sequence which I created in a folder (node) named Windows 8.1.

  1. Using the Deployment Workbench, in the MDT Production node, select the Task Sequences / Windows 8.1 node
  2. Right-click the Windows 8.1 Enterprise x64 task sequence, and select Properties.
  3. After the last action in the task sequence, add a new Install Application action with the following settings:
    1. Name: Final Configuration for MDT 2013
    2. Install a Single Application: Final Configuration for MDT 2013
  4. Click OK.
image
Application added to the task sequence

Optional configuration, enabling autologon for another user account

If you want to enable another user for autologon, simply uncomment lines 113-120 in the FinalConfig.hta file, and change the user/domain and password. If you want to logon with a local user, set domain to "." Here is an example for a normal domain account.

StatusArea.InnerHTML=StatusArea.InnerHTML & "<BR>" & "Enable autologon for another user account."
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon", 1, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCount", 999, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName", "Johan", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultDomainName", "VIAMONSTRA", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword", "[email protected]", "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceAutoLogon", 1, "REG_SZ"
oShell.RegWrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD", 1, "REG_DWORD"

Happy Deployment! / Johan

About the author

Johan Arwidmark

0 0 votes
Article Rating
Subscribe
Notify of
guest
62 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
rebrec
rebrec
21 days ago

Thanks for this great article and the application package that suite perfectly my needs.
For your information, when setting FinishAction=REBOOT, MDT will cleanup and restart the computer in parallel of the execution of your script, leading to a non working autologon (most of the time).
To make it work, I have added specifically in my TS a Set task sequence variable action with FinishAction=<EMPTY>.
Maybe you could had some information about this scpeficic usecase.
Thanks again!

Flemming
Flemming
2 months ago

Why is it necessary to set SKIPFINALSUMMARY to "YES". Can the script not run with SKIPFINALSUMMARY set to "NO" ? why you made the check from this setting ?

xulei lu
xulei lu
4 months ago

Hi john
I encountered some problems. I added a command under new computer only—->validate to clear the original information of the disk. diskpart.exe select disk 0 clean exit looks like this, and everything goes well. But after entering the system, I found that I lost my ip address, the applications were not executed, and the MIMINT folder appeared on the D drive. Do you know what the problem is?

Mohamad Berjawi
Mohamad Berjawi
4 months ago

i have used that script and it works successfully, i have upgraded windows 7 to windows 10 with mdt and added that script as the last task. but i am having an error message after each restart saying "cannot find the script c:\minint\scripts\litetouch.wsf"
i make sure that the customsettings.ini under the deployment share has the value for skipfinalsummary is set to yes.
am i missing something here, any ideas how to solve that please.

Jeremy Saunders
1 year ago

Hey Johan,
Great scripts and process. I found that the return code from "Configure-FinalConfig.wsf" is not working correctly and leaving an error. iZTIRetValue must equal 0 or 1, but not as a string. You can also use Success or Failure as you know. But using "0" or "1" as a string does not exit with valid return codes.
Cheers, Jeremy

Kim Underbjerg Sønderriis
Kim Underbjerg Sønderriis
1 year ago

Hey Johan Great Script! I have tried to enable Autologon for a workgroup TS by using your script but it doesn't seem to work :-/ During the TS a have a PS script which creates the local user. I have installed your script like told above and edited the HTA file with my infos for the local user. The user get created and your script is started but I can see in the LOG file ut writes "ZTI ERROR – Non-zero return code by Configure-FinalConfig". I can't figure out where I have made a mistake :-/ Can you give me… Read more »

dary
dary
1 year ago

Hi Johan,
regarding automatic login for another user account.

How should I proceed on the script?
where should I put your lines of text in the script?

Admin
Admin
6 years ago

Hi Anry,

Don't know about that one, please email me the bdd.log and I can take a quick look

/ Johan

Admin
Admin
6 years ago

Hi Cindy,

The only thing that comes to mind is the timeout, try increasing it in the HTA.

Change line 80 to iTimerID = window.setInterval("Configuration",45000)

/ Johan

anry
anry
6 years ago

Windows 7 image finishes successfully with only 1 error in EventViewer from the Final Config script.

ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0

Would can be the reason?

SkipFinalSummary=YES is set

ssoun
ssoun
6 years ago

Hello Johan,

Great script!!! It is working great on our Windows 7 and Windows 8.1 deployments but fails on only laptops. Can you enlighten me on what I am doing wrong?

Thank you,

Cindy

Admin
Admin
6 years ago

No, the LTI cleanup process runs after the task sequences is finished, that's why should use this HTA instead. And please stop using batch files, use PowerShell or VBScript.

/ Johan

motnahp00
motnahp00
6 years ago

Can I add a batch script that runs at the end of the task sequence so I can achieve autologon?

Admin
Admin
6 years ago

The whole point of the HTA is to run after the task sequence completes. E.g. there is no task sequence object.

If you want to pass task seqeuence parameters to the HTA, do what I do in the script for the domain value. E.g. have the vbscript that runs during the task sequence read the variables, and pass them as arguments to the HTA.

/ Johan

jsevans
jsevans
6 years ago

Hello Johan, For my Windows 8.1 LTI deploy on a Surface Pro 3, I tweaked the FinalConfig.hta file in an attempt to use dynamic admin username (OSDJoinAccount) and password (OSDJoinPassword) to populate the registry with Autologon info. Logic is that I would obtain these TS properties by including the following in the FinalConfig.hta file: Set TSEnv = CreateObject("Microsoft.SMS.TSEnvironment")sAdminAccountPassword = TSEnv("OSDJoinPassword")sAdminAccount = TSEnv("OSDJoinAccount") But it fails with an "ActiveX component can't create object: Microsoft.SMS.TSenvironment" error. So I thought maybe its caused by cscript.exe running as 64-bit process in a 32-bit environment…so I updated my "Final Configuration for 2013" command line to:… Read more »

Admin
Admin
6 years ago

If you cannot use the built-in logon dialog box (that sets the userdomain, userid, and userpassword variables), you need to pop-up a dialog box (HTA or VBScript), or modify the default wizard to ask for additional user info, and set those as custom variables.

Then you need modify the final configuration to read to variables and use them. As an example you can see how the VBScripts reads the domain variable and passes it over to the HTA.

/ Johan

saxknicks
saxknicks
6 years ago

So i am interested in the prompt for username/password for the auto login section of the hta. but I am unsure of how to go about that. could you help me out with that?

Admin
Admin
6 years ago

You can have the vbscript pass those variables to the HTA (as arguments), like I do with the domain value.

/ Johan

jsevans
jsevans
6 years ago

Johan, As always…thanks for all the tips/tricks and advice. Your Final Configuration script works great for scenarios where we are okay with hardcoding username and password (e.g. testing in DEV environment) but in our government department, we have many installers so we need dynamic DefaultUserName and DefaultPassword. In my Windows 7 (MDT 2010) TS, I used a VBScript that wrote the autologon data based on the installers username and password provided in the "User Credentials" wizard. I create the "Microsoft.SMS.TSEnvironment" object and then set the variables : sAdminAccountPassword = oSccmTSE("OSDJoinPassword") and sAdminAccount = oSccmTSE("OSDJoinAccount"). So when I try use the… Read more »

Admin
Admin
6 years ago

Hard to say, and btw, you don't need to update the boot images when changing a task sequence.

Mail me the log files and I can take a quick look (contact info on the abut page).

/ Johan

call911
call911
6 years ago

I have followed all the steps, added SkipFinalSummary=YES to my Deployment Share Rules, added the steps to the Task Sequence, rebuilt the boot images, and I can't get this to work. Everything images as needed, but then just sits at the desktop of the newly imaged computer. I don't see any popups. What could I be missing?

Harter
Harter
6 years ago

I have the excact same problem as "femilovechild" from 7/17/2014:

ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0
Event 41002 sent: ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0 Configure-FinalConfig

As far as I could see you have answered offline. Could You please provide me the same answer. Thanks

Admin
Admin
6 years ago

Sorry, don't know, haven't tried

/ Johan

jewen
jewen
6 years ago

I was wondering if there is a way to reduce the amountnumber of autologons down 3. I like the feature and used to do something similar using the unattend.xml file before I met MDT. Just for info I tried adjusting the 999 value to 3. To test I just created a custom task sequence and ran the litetouch.vbs script from an already built win 8-1 vm which did have the FinalConfig set as the last task. This however didn't seem to make a difference. I am probably missing something really easy. Many thanks on your generous contribution, I like many… Read more »

Admin
Admin
6 years ago

Sure, you can prompt for variables, that then are written to the registry by the script.

/ Johan

mstarace
mstarace
6 years ago

Great work! It there any way that this can be tweaked to have it prompt you for default username and default password each time before it reboots and logs the person in?

Thanks!

Admin
Admin
6 years ago

Haven't tried in SCCM, but you could try using this script: http://www.windows-noob.com/forums/index.php?/topic/2804-setting-up-autologin-at-the-end-of-sccm-osd/

/ Johan

dcaldwell
dcaldwell
6 years ago

Until recently, we used SCCM TS to Build and capture our reference image. During deployment TS using SCCM, we would populate the previous noted Winlogon keys and then use the TS restart computer step to reboot and the computer would successfully autologin. Now we have built our reference image using MDT 2013, and imported into sccm to deploy. The same SCCM TS, and the autologin keys get reset on the last reboot and no autologin. What process is resetting the keys at the end of the SCCM TS? Any suggestions on getting this to work with SCCM? P.S> I've never… Read more »

Admin
Admin
6 years ago

You can absolutely modify the script to take parameters sent from MDT. If you want example, check the previous version of this HTA which took the domain parameter sent from MDT and used that in the HTA. https://deploymentresearch.com/Research/tabid/62/EntryId/17/Final-Configuration-for-MDT-2010-Lite-Touch.aspx

/ Johan

ajdirks
ajdirks
6 years ago

Thank you for this autologin config, it has helped tremendously.

I manage an environment where we have multiple AD accounts that autologin to computers using mandatory profiles. With this in mind, is it possible to have your script insert autologon reg keys depending on computer name, OU, or application package chosen from MDT wizard?

Thanks!!

Admin
Admin
6 years ago

Sorry, this example only works in MDT Lite Touch.

/ Johan

ajensen
ajensen
6 years ago

Can i use this in SCCM TS without MDT integration : If i copy files needed from MDT lib and make my own package.

If above Works which files is then needed?. ZTIUtility.vbs, LTICleanup.wsf..

/ Anders

Admin
Admin
6 years ago

Jurgen, works with both Windows 7 and Windows 8.1 (and Windows Server)

/ Johan

Admin
Admin
6 years ago

Hmm, I haven't tested the script on a workgroup machine, did you have the task sequence (or the script) create the local Student user with a blank password as well? Anyway, send me an email, and I can followup offline. You find the contact details in the About page.

/ Johan

femilovechild
femilovechild
6 years ago

Thanks for all the knowledge you have been impacting. I have a problem with the script on MDT 2013 deploying standalone laptops Windows 7. I get the following error in the log file;ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0Event 41002 sent: ZTI ERROR – Non-zero return code by Configure-FinalConfig, rc = 0 Configure-FinalConfigThe laptop does not do autologon even though I have uncommented the section to run the autologon script i.e; ' Enable autologon for another user account (comment out these lines) StatusArea.InnerHTML=StatusArea.InnerHTML & "" & "Enable autologon for another user account." oShell.RegWrite "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAutoAdminLogon", 1,… Read more »

valkenaer
valkenaer
6 years ago

Hi Johan,

Is this script specifically written with Windows 8 in mind or will it also work with Windows 7?

Jurgen

Admin
Admin
6 years ago

To the default MDT log files locations: C:MININTSMSOSDOSDLOGS during deployment (in running Windows), and C:WindowsTempDeploymentLogs after a completed deployment.

/ Johan

Chris
Chris
6 years ago

Where are the log files being written to?

Admin
Admin
7 years ago

Yes, you should remove FinishAction=Reboot.

/ Johan

joebrug
joebrug
7 years ago

Should you remove FinishAction=Reboot from cs.ini if using this script?

Admin
Admin
7 years ago

You can set the default username, or clear the username info via registry/policies.

/ Johan

joebrug
joebrug
7 years ago

I join my domain during MDT. However, when MDT is completed and reboots (FinishAction=Reboot) the computer comes up with default username as the local administrator. I want the default login method to be to our domain. In fact, shouldn't we be disabling local administrator? Thanks!

Teknologist
Teknologist
7 years ago

That worked, thank you!

Admin
Admin
7 years ago

Uncommenting means remove the ' character before line 113 – 120, so that they looks like the sample in the end of the article.

/ Johan

Teknologist
Teknologist
7 years ago

Hi Johan,

first of all I would like to thank you because after I started learning MS deployment solutions, about 3 weeks ago, you have been an invaluable resource.

Can you please help me, I am trying to autologin with an ITAdmin local account that is created at first boot, when you say "If you want to enable another user for autologon, simply uncomment those lines in the FinalConfig.hta file" I don't really understand, and what I have tried does not work. Can you please give me an example?!

Thanks again!

/ Frank

Admin
Admin
7 years ago

Deploy the machine into a Staging OU with no policies, and have MDT call web service to move the machine to the final OU in the end of the task sequence.

/ Johan

jeffe17505
jeffe17505
7 years ago

I have a slightly different problem. We have been using MDT 2013 for some time now via removable media (USB) with very good results. However, since enabling PXE and doing this over the network we're getting an odd problem. The TS is set to autologon with administrator and with the correct password. This has always worked perfectly with removable media. However, now running the exact same TS from the deployment share, it is trying to autologon with "./administrator" and failing. We DO have a GPO that dynamically renames the admin account to something else. With removable media, GPO doesn't apply… Read more »

Admin
Admin
7 years ago

You can have this frontend parse the log files and write output on the screen.

/ Johan

tcapacci@hotmail.com
7 years ago

Hi Johan,

This works for me however i am missing the Final Summary to retrieve any errors that happened during deployment, anyway to get that included in the final screen?

Admin
Admin
7 years ago

The user-specific desktop folder is not created until the user logs in.

/ Johan


>