Graeme Bray

Real World Automation and Deployment

Unable to mount the WIM/DISM was unable to set the system root

with 5 comments

My company has recently started to deploy Server 2012 R2.  Before we could do this, the security team had to develop the policies to apply to the systems before we were allowed to do so.  Naturally, this leads to some times where we have to troubleshoot issues due to restrictive policies.  I started the process to deploy a new MDT server to replace one of my 2008 MDT systems that hosts WDS to attempt to get past the issue documented here.

I built my MDT Server, with 2013, ADK, and copied my old Deployment Share over to get the process started.  I updated my bootstrap.ini file to show the proper server name and tried to build a new boot image.  *BAM!*  I was hit with an error as soon as it started.

Unable to mount the wim, so the update process cannot continue.

Image

 

I looked and searched high and low for the cause.  I removed policies, thinking I knew what the issue was.  I *couldn’t* find it.  I took a break and came back to it by adding policies one at a time to see what broken my process.

I was able to get past this issue by changing the following setting:

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Backup Files and Directories – Add Administrators back in
  • Restore Files and Directories – Add Administrators back in

These two policy settings had only Backup Operators as to provide for the least rights possible.

This should alleviate the first issue.


 

Once I fixed this issue, I (re-applied group policy, logged out/in) attempted to re-build my WIM file.  I was hit by the next errors.

  • DISM Imaging Servicing Utility has stopped working
  • DISM was unable to set the system root (target path) for the Windows PE image, so the update process cannot continue.
    • Exit Code = -1073741819
    • DISM /Set-TargetPath failed, rc = -1073741819

Image

Image

 

Well…crap.  Back to looking.  I had an idea what the issue may be by looking at my event logs.  In my (fast scrolling, due to advanced auditing) security logs, I was able to see some Task Category entries for Process Creation.  I can’t claim to know what all of this means, but I did see that it was attempting to get a new Token for WIM build.

Process Information:
New Process ID: 0x1010
New Process Name: C:\Windows\System32\cmd.exe
Token Elevation Type: TokenElevationTypeFull (2)
Creator Process ID: 0x918
Process Command Line:

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.

Tokens Eh?  I remember seeing a policy for that!

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Create Token Object

I added Administrators, applied policy, logged out/in.  No dice.  I read a little more.

 

Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignments

  • Create global objects – Add Administrators.

Bingo! Our setting was LOCAL SERVICE, NETWORK SERVICE only.  I adjusted this setting, I was able to build my WIM’s successfully.

I hope this blog post is useful for someone else!

 

 

Advertisements

Written by Graeme

March 26, 2014 at 2:21 PM

Posted in MDT

Tagged with

5 Responses

Subscribe to comments with RSS.

  1. Hi, I kept getting ‘DISM had stopped working’ on MDT and when I tried to run it by itself under ‘CMD’. I just changed the ‘Create global objects’ and added ‘Administrators’ to the setting and after a MANDITORY! restart DISM worked perfectly! Thanks for the tutorial!!!!

    Barry Wood

    February 17, 2015 at 10:29 AM

  2. All, this post was bob on and this resolved my issue for creating WIM’s. For security you might find that this is not default permissions when a server is provisioned by your friendly corporate infrastructure team!

    Chopper

    September 7, 2015 at 3:54 AM

  3. For me DISM.exe was crashing. I simply replaced it from a working server :\windows\system32\dism.exe

    Kip

    September 15, 2015 at 9:20 AM

  4. Thanks a lot!

    Serge Shutikov

    October 19, 2015 at 2:59 PM

  5. Software Restriction Run policy created this error. I just went into Regedit and removed the policy while performing this task: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0 and deleted everything. Otherwise; could have reviewed Event Log.

    Josh

    November 24, 2015 at 1:38 PM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: