Using a Custom Recovery partition (WinRE) for domain joined computers.

After quite some requests I’ve spend some time to work out a new task sequence and updated file package for my original post “Configuring Windows RE with MDT 2012 Update 1”. The first version I published back for MDT 2010 required manual configuration in order to work properly, the updated post for MDT 2012 was built on top of that work but re-writing almost everything in order to make it a lot easier to use. I also included a proof-of-concept ready to use WinRE image (a modified WindowsPE image).

This updated version includes a new scenario that I’ve seen many try to implement after finding my post and then stumble upon various issues.

In a nutshell, I’ll describe in short what happens during the task sequence (obviously edits can be make to adjust to your needs)

  • Windows is deployed onto the system, but using a different partition layout: 2 partitions, the first is 10GB and marked as Recovery partition using Type 27, and the second is the remaining volume space for Windows.
  • After Windows has been installed, during the State Restore phase, a script will copy the custom WinRE image to the Recovery partition, and configure windows using ReAgentC.exe to use a custom WinRE environment.
  • Once all the steps in State Restore have been finished, Windows will reboot into WindowsPE (litetouchPE) and capture the Windows installation that was just installed to the Recovery partition.

This allows for very fast recovery of the system if the operating system is really messed up, as long as the bootmgr is still able to boot and the hardware is healthy. This solution is very similar to the recovery partitions that the big brand OEM’s supply with their systems.

The original task sequence I created would sysprep the system before rebooting into PE to capture the image, but this would disjoin the computer from the domain (if joined to a domain), and also cause an OOBE to appear after the task sequence was completed. This scenario would be fine for workgroup computers, or a system builder who wants to provide a recovery solution with their pc’s to their customers. However I’ve been contacted by quite some fellow admins working for large companies also wanting to setup something similar, but not have the machine disjoin from the domain.

The extra task sequence that’s provided in the script file package now actually does just that, it will work for enterprise usage… at a cost (I can’t see a way around this, but we’ll come to that in a minute).

  • Once all the tasks in the state restore phase have been completed, it will move on to the [Custom] Capture Image group, now instead of sysprepping the system it starts a different script.
  • This script does the following: It removes the drive letter R: from the recovery partition (this normally happens during sysprep), remove auto-logon/resume task sequence upon windows logon, re-enable system restore function, remove registry entry for last logged on user; this is not the policy setting “do not display last user name” (that way when the computer boots up for the first time it does not display pcname\administrator) and last.. but most importantly it sets the registry setting to disable the computer password change.
  • After that it reboots into WinPE, and captures the image and it’s done. Once you boot into windows you’re still joined to the domain and if you recover the image right away you’re still joined to the domain.

I would like to point out, that the last item, disabling the computer password change is not a recommended setting. However this is the only way to keep the system joined to the domain without losing it’s AD trust after restoring the recovery image after 30 days (if anyone knows an alternative I’m all ears). If you want to implement a solution like this, I would recommend you to read the following two Technet blog articles:

For more details on the task sequence itself and how to use it (as it’s almost identical to the original one), I’d like to refer to the original post.

The script files and ts.xml files are for download on the technet gallery, and the custom WinRE images are available for download on my skydrive.

Kind regards,

Stephan Schwarz

No Comments

  1. Ping from Configuring WindowsRE with MDT 2012 Update 1 – Stephan's Windows OSD/MDT/SCCM blog